Set release branch protection with approve reviews 2

[andrew-m-leonard]

Fixes adoptium/temurin-build#4045

Ensure build repository release branches "v*" have branch protection with 1 review required

[eclipse-otterdog]

This is your friendly self-service bot.

Thank you for raising a pull request to update the configuration of your GitHub organization.
You can manually add reviewers to this PR to eventually enable auto-merging.

The following conditions need to fulfilled for auto-merging to be available:

• valid configuration
• approved by a project lead
• does not require any secrets
• does not update settings only accessible via the GitHub Web UI
• does not remove any resource

Otterdog commands and options

You can trigger otterdog actions by commenting on this PR:

• /otterdog team-info checks the team / org membership for the PR author
• /otterdog validate validates the configuration change
• /otterdog validate info validates the configuration change, printing also validation infos
• /otterdog check-sync checks if the base ref is in sync with live settings
• /otterdog merge merges and applies the changes if the PR is eligible for auto-merging (only accessible for the author)
• /otterdog done notifies the self-service bot that a required manual apply operation has been performed (only accessible for members of the admin team)
• /otterdog apply re-apply a previously failed attempt (only accessible for members of the admin team)

[eclipse-otterdog]

This is your friendly self-service bot.

The author (andrew-m-leonard) of this PR is associated with this organization in the role of MEMBER.

Additionally, andrew-m-leonard is a member of the following teams:

• adoptium-committers

• adoptium-aqavit-committers

• adoptium-temurin-committers

[andrew-m-leonard]

/otterdog validate

[andrew-m-leonard]

/otterdog validate info

[tellison]

Likely OK, but v* has the potential to match a broad range of branch names.
Do you think it would it overcomplicate to add a more specific expression that only matches the expected pattern?
I don't feel too strongly about it though.

[netomi]

You can be more specific about the pattern, this one would match currently 11 branches in the temurin-build repo: v[0-9]*.[0-9]*[.+][0-9]*

[netomi]

but I would suggest to look into Rulesets. They are the same as branch protection rules but offer things also wrt matching branches / tags.

[andrew-m-leonard]

Likely OK, but v* has the potential to match a broad range of branch names. Do you think it would it overcomplicate to add a more specific expression that only matches the expected pattern? I don't feel too strongly about it though

@tellison
My initial thought was ALL branches, although it would need to be "!main", hence I just made it "v*".

I could make it "v[0-9][0-9][0-9][0-9][.][0-9][0-9][.][0-9][0-9]"
but we have been known to accidently name the release branch wrongly... but still use it eg:https://github.com/adoptium/temurin-build/tree/v2024.04%2B01
so I think i'd prefer to stay with "v*"

[andrew-m-leonard]

You can be more specific about the pattern, this one would match currently 11 branches in the temurin-build repo: v[0-9]*.[0-9]*[.+][0-9]*

i'd actually like to be less specific, as really ALL branches in these repos should be protected

[sxa]

Blocking pending PMC discussion tomorrow (but as per the retrospective I'm personally happy with this ;-) )

[smlambert]

I am also +1 to this. We had to ensure branch protection was turned on for aqa-tests in the past and I was surprised it was not the default template for EF projects.

[andrew-m-leonard]

@sxa @smlambert Can I get your reviews please now this has been agreed? thanks

[sxa]

@andrew-m-leonard Could you pre-squash these commits so we don't merge this with the commit message saying 1 please? (Same for the PR description for housekeeping purposes)?

[eclipse-otterdog]

This is your friendly self-service bot.
Please find below the validation of the requested configuration changes:

Diff for aa4b2dc

Organization adoptium[id=adoptium]
  there have been 4 validation infos, enable verbose output with '-v' to to display them.

+  add branch_protection_rule[pattern="v20*", repository="ci-jenkins-pipelines"] {
+    allows_deletions                  = false
+    allows_force_pushes               = false
+    blocks_creations                  = false
+    bypass_force_push_allowances      = []
+    bypass_pull_request_allowances    = []
+    dismisses_stale_reviews           = false
+    is_admin_enforced                 = false
+    lock_allows_fetch_and_merge       = false
+    lock_branch                       = false
+    pattern                           = "v20*"
+    require_last_push_approval        = false
+    required_approving_review_count   = 2
+    required_status_checks            = [
+      "eclipse-eca-validation:eclipsefdn/eca"
+    ],
+    requires_code_owner_reviews       = false
+    requires_commit_signatures        = false
+    requires_conversation_resolution  = false
+    requires_deployments              = false
+    requires_linear_history           = false
+    requires_pull_request             = true
+    requires_status_checks            = true
+    requires_strict_status_checks     = false
+    restricts_pushes                  = false
+    restricts_review_dismissals       = false
+  }

+  add branch_protection_rule[pattern="v20*", repository="jenkins-helper"] {
+    allows_deletions                  = false
+    allows_force_pushes               = false
+    blocks_creations                  = false
+    bypass_force_push_allowances      = []
+    bypass_pull_request_allowances    = []
+    dismisses_stale_reviews           = false
+    is_admin_enforced                 = false
+    lock_allows_fetch_and_merge       = false
+    lock_branch                       = false
+    pattern                           = "v20*"
+    require_last_push_approval        = false
+    required_approving_review_count   = 2
+    required_status_checks            = [
+      "eclipse-eca-validation:eclipsefdn/eca"
+    ],
+    requires_code_owner_reviews       = false
+    requires_commit_signatures        = false
+    requires_conversation_resolution  = false
+    requires_deployments              = false
+    requires_linear_history           = false
+    requires_pull_request             = true
+    requires_status_checks            = true
+    requires_strict_status_checks     = false
+    restricts_pushes                  = false
+    restricts_review_dismissals       = false
+  }

+  add branch_protection_rule[pattern="v20*", repository="temurin-build"] {
+    allows_deletions                  = false
+    allows_force_pushes               = false
+    blocks_creations                  = false
+    bypass_force_push_allowances      = []
+    bypass_pull_request_allowances    = []
+    dismisses_stale_reviews           = false
+    is_admin_enforced                 = false
+    lock_allows_fetch_and_merge       = false
+    lock_branch                       = false
+    pattern                           = "v20*"
+    require_last_push_approval        = false
+    required_approving_review_count   = 2
+    required_status_checks            = [
+      "eclipse-eca-validation:eclipsefdn/eca"
+    ],
+    requires_code_owner_reviews       = false
+    requires_commit_signatures        = false
+    requires_conversation_resolution  = false
+    requires_deployments              = false
+    requires_linear_history           = false
+    requires_pull_request             = true
+    requires_status_checks            = true
+    requires_strict_status_checks     = false
+    restricts_pushes                  = false
+    restricts_review_dismissals       = false
+  }
  
  Plan: 3 to add, 0 to change, 0 to delete.

[andrew-m-leonard]

@andrew-m-leonard Could you pre-squash these commits so we don't merge this with the commit message saying 1 please? (Same for the PR description for housekeeping purposes)?

@sxa thanks done

[eclipse-otterdog]

This is your friendly self-service bot. The current configuration is in-sync with the live settings. 🚀

[smlambert]

thanks @andrew-m-leonard !

[eclipse-otterdog]

This is your friendly self-service bot.
This Pull Request is eligible for auto-merging as it passed the following checks:

• valid configuration
• approved by a project lead
• does not require any secrets
• does not update settings only accessible via the GitHub Web UI
• does not remove any resource

In order to automatically merge and apply the changes, add a comment /otterdog merge. 🚀

[steelhead31]

Looks good!

[andrew-m-leonard]

@netomi This is now ready for merging please

[netomi]

In order to automatically merge and apply the changes, add a comment /otterdog merge. 🚀

[adamfarley]

/otterdog merge

[eclipse-otterdog]

This is your friendly self-service bot.
Only the author of the pull request, a project-lead or a member of the admin teams is allowed to auto-merge it.

[andrew-m-leonard]

/otterdog merge

[eclipse-otterdog]

This is your friendly self-service bot.

The following changes have been successfully applied:

Organization adoptium[id=adoptium]
  there have been 4 validation infos, enable verbose output with '-v' to to display them.

+  add branch_protection_rule[pattern="v20*", repository="ci-jenkins-pipelines"] {
+    allows_deletions                  = false
+    allows_force_pushes               = false
+    blocks_creations                  = false
+    bypass_force_push_allowances      = []
+    bypass_pull_request_allowances    = []
+    dismisses_stale_reviews           = false
+    is_admin_enforced                 = false
+    lock_allows_fetch_and_merge       = false
+    lock_branch                       = false
+    pattern                           = "v20*"
+    require_last_push_approval        = false
+    required_approving_review_count   = 2
+    required_status_checks            = [
+      "eclipse-eca-validation:eclipsefdn/eca"
+    ],
+    requires_code_owner_reviews       = false
+    requires_commit_signatures        = false
+    requires_conversation_resolution  = false
+    requires_deployments              = false
+    requires_linear_history           = false
+    requires_pull_request             = true
+    requires_status_checks            = true
+    requires_strict_status_checks     = false
+    restricts_pushes                  = false
+    restricts_review_dismissals       = false
+  }

+  add branch_protection_rule[pattern="v20*", repository="jenkins-helper"] {
+    allows_deletions                  = false
+    allows_force_pushes               = false
+    blocks_creations                  = false
+    bypass_force_push_allowances      = []
+    bypass_pull_request_allowances    = []
+    dismisses_stale_reviews           = false
+    is_admin_enforced                 = false
+    lock_allows_fetch_and_merge       = false
+    lock_branch                       = false
+    pattern                           = "v20*"
+    require_last_push_approval        = false
+    required_approving_review_count   = 2
+    required_status_checks            = [
+      "eclipse-eca-validation:eclipsefdn/eca"
+    ],
+    requires_code_owner_reviews       = false
+    requires_commit_signatures        = false
+    requires_conversation_resolution  = false
+    requires_deployments              = false
+    requires_linear_history           = false
+    requires_pull_request             = true
+    requires_status_checks            = true
+    requires_strict_status_checks     = false
+    restricts_pushes                  = false
+    restricts_review_dismissals       = false
+  }

+  add branch_protection_rule[pattern="v20*", repository="temurin-build"] {
+    allows_deletions                  = false
+    allows_force_pushes               = false
+    blocks_creations                  = false
+    bypass_force_push_allowances      = []
+    bypass_pull_request_allowances    = []
+    dismisses_stale_reviews           = false
+    is_admin_enforced                 = false
+    lock_allows_fetch_and_merge       = false
+    lock_branch                       = false
+    pattern                           = "v20*"
+    require_last_push_approval        = false
+    required_approving_review_count   = 2
+    required_status_checks            = [
+      "eclipse-eca-validation:eclipsefdn/eca"
+    ],
+    requires_code_owner_reviews       = false
+    requires_commit_signatures        = false
+    requires_conversation_resolution  = false
+    requires_deployments              = false
+    requires_linear_history           = false
+    requires_pull_request             = true
+    requires_status_checks            = true
+    requires_strict_status_checks     = false
+    restricts_pushes                  = false
+    restricts_review_dismissals       = false
+  }

  
  Applying changes:


  Done.
  
  Executed plan: 3 added, 0 changed, 0 deleted.