github: branch protections #59048
Comments
cherrymui
added
the
NeedsInvestigation
|
I think another option is set a branch protection rule for all branches (*), and use BTW even when a PR or commit is accidentally merged, I've seen the next gitmirror force push and sync with the upstream. |
|
I've applied branch protections to the main Go repository. Any others you'd like locked down? |
|
We can do all golang.org/x GitHub mirrors too (and the special case without x, golang.org/dl). At least I can't think of a downside to treating them the same as the main Go repo mirror for the purpose of this issue. That'll leave various non-mirror repos or less clear cases (e.g. protobuf, leveldb, cwg, go-get-issue-15410, etc.). |
|
I mostly just don't want to do it manually. Seems like there's no CLI, you have to use graphql: I assume that the overwhelming majority of PRs go to the main repo, so I think this is done enough, personally. If someone wants to figure out the graphql I'm happy to run it as an admin. |
|
This should do it, I tested it on a few of my repos: package main
import (
"context"
"flag"
"log"
"os"
"github.com/google/go-github/v53/github"
"golang.org/x/oauth2"
)
func main() {
var repos []string
flag.Func("r", "", func(s string) error {
repos = append(repos, s)
return nil
})
flag.Parse()
ctx := context.Background()
ts := oauth2.StaticTokenSource(
&oauth2.Token{AccessToken: os.Getenv("GH_TOKEN")},
)
tc := oauth2.NewClient(ctx, ts)
client := github.NewClient(tc)
for _, repo := range repos {
log.Println("setting branch protection for", repo)
_, _, err := client.Repositories.UpdateBranchProtection(ctx, "golang", repo, "master", &github.ProtectionRequest{
RequiredPullRequestReviews: &github.PullRequestReviewsEnforcementRequest{
RequireCodeOwnerReviews: true,
RequiredApprovingReviewCount: 1,
},
})
if err != nil {
log.Println("error updating branch protections for", repo, err)
continue
}
log.Println("set branch protection for", repo)
}
}The list of public repos for the golang org is (I'm not sure if all of them should have this set?) |
|
Sorry for the slow response. For the repos in question which are just Gerrit mirrors, only GopherBot should be able to push to them. So this is the (only) rule I applied:
Is it easy to update the script to do that? |
|
I think this should work package main
import (
"context"
"flag"
"log"
"os"
"github.com/google/go-github/v53/github"
"golang.org/x/oauth2"
)
func main() {
var repos []string
flag.Func("r", "", func(s string) error {
repos = append(repos, s)
return nil
})
flag.Parse()
ctx := context.Background()
ts := oauth2.StaticTokenSource(
&oauth2.Token{AccessToken: os.Getenv("GH_TOKEN")},
)
tc := oauth2.NewClient(ctx, ts)
client := github.NewClient(tc)
for _, repo := range repos {
log.Println("setting branch protection for", repo)
_, _, err := client.Repositories.UpdateBranchProtection(ctx, "golang", repo, "master", &github.ProtectionRequest{
Restrictions: &github.BranchRestrictionsRequest{
Users: []string{"gopherbot"},
Teams: []string{},
Apps: []string{},
},
})
if err != nil {
log.Println("error updating branch protections for", repo, err)
continue
}
log.Println("set branch protection for", repo)
}
} |
|
Maybe I'm missing something, but arch is a real repo and the request seems appropriate based on the API docs. (Also I'd like to set it on all branches, but that really does require graphql apparently...) |
As someone in the "go-approvers" github group, I'm always slightly concerned about accidentally pressing the "Merge Pull Request" button when going through PRs.
Can we have branch protection to disable the button by default?
I believe matching the
masterbranch withRequire a pull request before mergingwith sub-optionsRequire approvalsandRequire review from Code Ownerswill be sufficient to prevent accidental presses.There's also a
Lock branchoption, though I'm unsure how it'll interact with the sync from upstream.cc @golang/release
The text was updated successfully, but these errors were encountered: