Skip to content

Convert branch protections to rule sets #7095

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Feb 18, 2025
Merged

Convert branch protections to rule sets #7095

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
982c59d
Convert branch protections to rule sets
trask Feb 10, 2025
4c53c03
Merge remote-tracking branch 'upstream/main' into rulesets
trask Feb 15, 2025
12a1ea4
update
trask Feb 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
131 changes: 79 additions & 52 deletions .github/repository-settings.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,71 +5,98 @@ Repository settings in addition to what's documented already at

## General > Pull Requests

* Allow squash merging > Default to pull request title
- Allow squash merging > Default to pull request title

- Allow auto-merge

## Actions > General

* Fork pull request workflows from outside collaborators:
- Fork pull request workflows from outside collaborators:
"Require approval for first-time contributors who are new to GitHub"

(To reduce friction for new contributors,
as the default is "Require approval for first-time contributors")

## Branch protections

The order of branch protection rules
[can be important](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/managing-a-branch-protection-rule#about-branch-protection-rules).
The branch protection rules below should be added before the `**/**` branch protection rule
(this may require deleting the `**/**` rule and recreating it at the end).

### `main`

* Require branches to be up to date before merging: UNCHECKED

(PR jobs take too long, and leaving this unchecked has not been a significant problem)

* Status checks that are required:

* EasyCLA
* required-status-check

### `release/*`

Same settings as above for `main`, except:
- Workflow permissions
- Default permissions granted to the `GITHUB_TOKEN` when running workflows in this repository:
Read repository contents and packages permissions
- Allow GitHub Actions to create and approve pull requests: UNCHECKED

## Rules > Rulesets

### `main` and release branches

- Targeted branches:
- `main`
- `release/*`
- Branch rules
- Restrict deletions: CHECKED
- Require linear history: CHECKED
- Require a pull request before merging: CHECKED
- Required approvals: 1
- Require review from Code Owners: CHECKED
- Allowed merge methods: Squash
- Require status checks to pass
- Do not require status checks on creation: CHECKED
- Status checks that are required
- EasyCLA
- `required-status-check`
- `gradle-wrapper-validation`
- Block force pushes: CHECKED
- Require code scanning results: CHECKED
- CodeQL
- Security alerts: High or higher
- Alerts: Errors

### `benchmarks` branch

- Targeted branches:
- `benchmarks`
- Branch rules
- Restrict deletions: CHECKED
- Require linear history: CHECKED
- Block force pushes: CHECKED

### Old-style release branches

- Targeted branches:
- `v0.*`
- `v1.*`
- Branch rules
- Restrict creations: CHECKED
- Restrict updates: CHECKED
- Restrict deletions: CHECKED

### Restrict branch creation

- Targeted branches
- Exclude:
- `release/*`
- `renovate/**/*`
- `otelbot/**/*`
- `revert-*/**/*` (these are created when using the GitHub UI to revert a PR)
- Restrict creations: CHECKED

### Restrict updating tags

- Targeted tags
- All tags
- Restrict updates: CHECKED
- Restrict deletions: CHECKED

* Restrict pushes that create matching branches: UNCHECKED

(So that opentelemetrybot can create release branches)

### `renovate/**/**`, and `opentelemetrybot/*`

* Require status checks to pass before merging: UNCHECKED

(So that renovate PRs can be rebased)

* Restrict who can push to matching branches: UNCHECKED

(So that bots can create PR branches in this repository)

* Allow force pushes > Everyone

(So that renovate PRs can be rebased)

* Allow deletions: CHECKED
## Branch protections

(So that bot PR branches can be deleted)
### `main`, `release/*`

### `benchmarks`
- Restrict who can push to matching branches: CHECKED

- Everything UNCHECKED
## Code security and analysis

(This branch is currently only used for directly pushing benchmarking results from the
[overhead benchmark](https://github.com/open-telemetry/opentelemetry-java/actions/workflows/benchmark.yml)
job)
- Secret scanning: Enabled

## Secrets and variables > Actions

* `GPG_PASSWORD` - stored in OpenTelemetry-Java 1Password
* `GPG_PRIVATE_KEY` - stored in OpenTelemetry-Java 1Password
* `SONATYPE_KEY` - owned by [@jack-berg](https://github.com/jack-berg)
* `SONATYPE_USER` - owned by [@jack-berg](https://github.com/jack-berg)
- `GPG_PASSWORD` - stored in OpenTelemetry-Java 1Password
- `GPG_PRIVATE_KEY` - stored in OpenTelemetry-Java 1Password
- `SONATYPE_KEY` - owned by [@jack-berg](https://github.com/jack-berg)
- `SONATYPE_USER` - owned by [@jack-berg](https://github.com/jack-berg)
Loading