Skip to content

rulesets: add default branch protection for all repositories #145

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
infinisil merged 1 commit into from
Oct 6, 2025
Merged

rulesets: add default branch protection for all repositories #145

infinisil merged 1 commit into from
Oct 6, 2025

Conversation

@wolfgangwalther
Copy link
Contributor

@wolfgangwalther wolfgangwalther commented Jul 24, 2025

This adds a default branch protection ruleset for all (existing and future) repositories in the NixOS org. It only targets the default branch and disallows deletion and force pushes.

This seems like a reasonable default and I doubt that any repositories depend on being able to do either of that. And if they do, it's doubtful, whether these repositories are in the right place in the NixOS org.

This needs to be imported on the organization level, via Settings -> Repository -> Rulesets.

@wolfgangwalther wolfgangwalther requested a review from a team as a code owner July 24, 2025 07:21
@wolfgangwalther
Copy link
Contributor Author

wolfgangwalther commented Jul 24, 2025

I tried adding to the export.bash script to also export this default ruleset, but it seems like API access is only enabled for GitHub Teams:

% gh api /orgs/infinisil-test-org/rulesets
gh: Upgrade to GitHub Team to enable this feature. (HTTP 403)

Thus I can't test what the response looks like etc.

Since this is only a single rule, maybe exporting it once is not too bad. Alternatively, @infinisil, you could look into that and adjust the export script accordingly.

@infinisil
Copy link
Member

infinisil commented Sep 24, 2025
edited
Loading

I just did a survey of force pushes in the last year. Results:

@infinisil
Copy link
Member

infinisil commented Sep 24, 2025

For my force pushes, that's when I set up the repo. I wouldn't have had any problem with being blocked from force pushing.

@wolfgangwalther
Copy link
Contributor Author

wolfgangwalther commented Sep 24, 2025

We are certainly OK with not being able to force-push for nixpkgs-merge-bot.

@infinisil
Copy link
Member

infinisil commented Sep 29, 2025

Btw I updated the links above to use the .. compare, not the ... compare, because only the former displays changes between force pushes correctly.

@wolfgangwalther
Copy link
Contributor Author

wolfgangwalther commented Sep 29, 2025

Even without explicit feedback otherwise, I don't think these force pushes are required per-se for the mentioned repos. Personally, I'd feel confident to still go ahead with this.

@zimbatm
Copy link
Member

zimbatm commented Sep 29, 2025

We will need better tooling for applying rulesets before expanding this to all the repos. Otherwise it's going to be too much overhead for the org team.

@wolfgangwalther
Copy link
Contributor Author

wolfgangwalther commented Sep 29, 2025

No, this is an org-wide default branch protection ruleset, that will be applied once at the org level and will then apply to every repo's default branch only. It is very basic and not much work.

infinisil
infinisil approved these changes Sep 29, 2025
View reviewed changes
Copy link
Member

@infinisil infinisil left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's go for this, needs approval from another org owner though

zimbatm
zimbatm approved these changes Sep 30, 2025
View reviewed changes
Copy link
Member

@zimbatm zimbatm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alright, in that case sounds good 👍

@wolfgangwalther @infinisil
rulesets: add default branch protection for all repositories
7141f87 
This adds a default branch protection ruleset for *all* (existing and
future) repositories in the NixOS org. It only targets the default
branch and disallows deletion and force pushes.
@infinisil
Copy link
Member

infinisil commented Oct 6, 2025

Applied

@infinisil infinisil enabled auto-merge October 6, 2025 10:46
@infinisil infinisil merged commit 72f5257 into NixOS:main Oct 6, 2025
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zimbatm zimbatm zimbatm approved these changes

@infinisil infinisil infinisil approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@wolfgangwalther @infinisil @zimbatm