Convert branch protections to rule sets (#7095)

Author: trask

.github/repository-settings.md

@@ -5,71 +5,98 @@ Repository settings in addition to what's documented already at
 
 ## General > Pull Requests
 
-* Allow squash merging > Default to pull request title
+- Allow squash merging > Default to pull request title
+
+- Allow auto-merge
 
 ## Actions > General
 
-* Fork pull request workflows from outside collaborators:
+- Fork pull request workflows from outside collaborators:
   "Require approval for first-time contributors who are new to GitHub"
 
   (To reduce friction for new contributors,
   as the default is "Require approval for first-time contributors")
 
-## Branch protections
-
-The order of branch protection rules
-[can be important](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/managing-a-branch-protection-rule#about-branch-protection-rules).
-The branch protection rules below should be added before the `**/**` branch protection rule
-(this may require deleting the `**/**` rule and recreating it at the end).
-
-### `main`
-
-* Require branches to be up to date before merging: UNCHECKED
-
-  (PR jobs take too long, and leaving this unchecked has not been a significant problem)
-
-* Status checks that are required:
-
-  * EasyCLA
-  * required-status-check
-
-### `release/*`
-
-Same settings as above for `main`, except:
+- Workflow permissions
+  - Default permissions granted to the `GITHUB_TOKEN` when running workflows in this repository:
+    Read repository contents and packages permissions
+  - Allow GitHub Actions to create and approve pull requests: UNCHECKED
+
+## Rules > Rulesets
+
+### `main` and release branches
+
+- Targeted branches:
+  - `main`
+  - `release/*`
+- Branch rules
+  - Restrict deletions: CHECKED
+  - Require linear history: CHECKED
+  - Require a pull request before merging: CHECKED
+    - Required approvals: 1
+    - Require review from Code Owners: CHECKED
+    - Allowed merge methods: Squash
+  - Require status checks to pass
+    - Do not require status checks on creation: CHECKED
+    - Status checks that are required
+      - EasyCLA
+      - `required-status-check`
+      - `gradle-wrapper-validation`
+  - Block force pushes: CHECKED
+  - Require code scanning results: CHECKED
+    - CodeQL
+      - Security alerts: High or higher
+      - Alerts: Errors
+
+### `benchmarks` branch
+
+- Targeted branches:
+  - `benchmarks`
+- Branch rules
+  - Restrict deletions: CHECKED
+  - Require linear history: CHECKED
+  - Block force pushes: CHECKED
+
+### Old-style release branches
+
+- Targeted branches:
+  - `v0.*`
+  - `v1.*`
+- Branch rules
+  - Restrict creations: CHECKED
+  - Restrict updates: CHECKED
+  - Restrict deletions: CHECKED
+
+### Restrict branch creation
+
+- Targeted branches
+  - Exclude:
+    - `release/*`
+    - `renovate/**/*`
+    - `otelbot/**/*`
+    - `revert-*/**/*` (these are created when using the GitHub UI to revert a PR)
+- Restrict creations: CHECKED
+
+### Restrict updating tags
+
+- Targeted tags
+  - All tags
+- Restrict updates: CHECKED
+- Restrict deletions: CHECKED
 
-* Restrict pushes that create matching branches: UNCHECKED
-
-  (So that opentelemetrybot can create release branches)
-
-### `renovate/**/**`, and `opentelemetrybot/*`
-
-* Require status checks to pass before merging: UNCHECKED
-
-  (So that renovate PRs can be rebased)
-
-* Restrict who can push to matching branches: UNCHECKED
-
-  (So that bots can create PR branches in this repository)
-
-* Allow force pushes > Everyone
-
-  (So that renovate PRs can be rebased)
-
-* Allow deletions: CHECKED
+## Branch protections
 
-  (So that bot PR branches can be deleted)
+### `main`, `release/*`
 
-### `benchmarks`
+- Restrict who can push to matching branches: CHECKED
 
-- Everything UNCHECKED
+## Code security and analysis
 
-  (This branch is currently only used for directly pushing benchmarking results from the
-  [overhead benchmark](https://github.com/open-telemetry/opentelemetry-java/actions/workflows/benchmark.yml)
-  job)
+- Secret scanning: Enabled
 
 ## Secrets and variables > Actions
 
-* `GPG_PASSWORD` - stored in OpenTelemetry-Java 1Password
-* `GPG_PRIVATE_KEY` - stored in OpenTelemetry-Java 1Password
-* `SONATYPE_KEY` - owned by [@jack-berg](https://github.com/jack-berg)
-* `SONATYPE_USER` - owned by [@jack-berg](https://github.com/jack-berg)
+- `GPG_PASSWORD` - stored in OpenTelemetry-Java 1Password
+- `GPG_PRIVATE_KEY` - stored in OpenTelemetry-Java 1Password
+- `SONATYPE_KEY` - owned by [@jack-berg](https://github.com/jack-berg)
+- `SONATYPE_USER` - owned by [@jack-berg](https://github.com/jack-berg)