From 7f107f281faac3fcbbf2e54a44ba2fa926a406e3 Mon Sep 17 00:00:00 2001
From: Jussi Kukkonen <jkukkonen@google.com>
Date: Thu, 18 Apr 2024 17:50:05 +0300
Subject: [PATCH] Tweak how push restrictions are handled

To avoid unnecessary churn in sigstore/community,
only set RestrictPushes if the project has users in the
pushRestrictions list.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
---
 main.go | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/main.go b/main.go
index 6af5277..62c313c 100644
--- a/main.go
+++ b/main.go
@@ -209,7 +209,7 @@ func main() {
 					}
 				}
 
-				_, err = github.NewBranchProtection(ctx, fmt.Sprintf("%s-%s", repo.Name, protection.Pattern), &github.BranchProtectionArgs{
+				branchProtectionArgs := &github.BranchProtectionArgs{
 					RepositoryId:                  newRepo.NodeId,
 					Pattern:                       pulumi.String(protection.Pattern),
 					EnforceAdmins:                 pulumi.Bool(protection.EnforceAdmins),
@@ -235,12 +235,18 @@ func main() {
 							RequireLastPushApproval:      pulumi.Bool(protection.RequireLastPushApproval),
 						},
 					},
-					RestrictPushes: github.BranchProtectionRestrictPushArray{
+				}
+
+				if len(pushRestrictionsID) > 0 {
+					// if project does not list any users in pushRestrictions, assume no push restriction
+					branchProtectionArgs.RestrictPushes = github.BranchProtectionRestrictPushArray{
 						&github.BranchProtectionRestrictPushArgs{
 							PushAllowances: pulumi.ToStringArray(pushRestrictionsID),
 						},
-					},
-				})
+					}
+				}
+
+				_, err = github.NewBranchProtection(ctx, fmt.Sprintf("%s-%s", repo.Name, protection.Pattern), branchProtectionArgs)
 				if err != nil {
 					return err
 				}