From 7141f87d8c0e21f53b98a8dce89d26582dd552b5 Mon Sep 17 00:00:00 2001
From: Wolfgang Walther <walther@technowledgy.de>
Date: Thu, 24 Jul 2025 09:17:27 +0200
Subject: [PATCH] rulesets: add default branch protection for all repositories

This adds a default branch protection ruleset for *all* (existing and
future) repositories in the NixOS org. It only targets the default
branch and disallows deletion and force pushes.
---
 rulesets/no-rewrite-history.json | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 rulesets/no-rewrite-history.json

diff --git a/rulesets/no-rewrite-history.json b/rulesets/no-rewrite-history.json
new file mode 100644
index 0000000..58c228f
--- /dev/null
+++ b/rulesets/no-rewrite-history.json
@@ -0,0 +1,31 @@
+{
+  "id": 8657816,
+  "name": "no-rewrite-history",
+  "target": "branch",
+  "source_type": "Organization",
+  "source": "NixOS",
+  "enforcement": "active",
+  "conditions": {
+    "ref_name": {
+      "exclude": [],
+      "include": [
+        "~DEFAULT_BRANCH"
+      ]
+    },
+    "repository_name": {
+      "exclude": [],
+      "include": [
+        "~ALL"
+      ]
+    }
+  },
+  "rules": [
+    {
+      "type": "deletion"
+    },
+    {
+      "type": "non_fast_forward"
+    }
+  ],
+  "bypass_actors": []
+}
\ No newline at end of file