Branch Protection #23
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Branch Protection | |
| on: | |
| workflow_dispatch: | |
| schedule: | |
| # Run weekly to ensure branch protection rules are maintained | |
| - cron: "0 0 * * 0" | |
| jobs: | |
| setup-branch-protection: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup Branch Protection Rules | |
| uses: actions/github-script@v7 | |
| continue-on-error: true # Don't fail if permissions are insufficient | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| script: | | |
| const owner = context.repo.owner; | |
| const repo = context.repo.repo; | |
| // Main branch protection rules | |
| const mainProtection = { | |
| required_status_checks: { | |
| strict: true, | |
| contexts: [ | |
| 'test (20.x)', | |
| 'test (22.x)', | |
| 'security', | |
| 'code-quality', | |
| 'compatibility (ubuntu-latest, 20.x)', | |
| 'compatibility (windows-latest, 20.x)', | |
| 'compatibility (macos-latest, 20.x)', | |
| 'pr-validation', | |
| 'template-integrity', | |
| 'version-consistency', | |
| 'registry-validation' | |
| ] | |
| }, | |
| enforce_admins: false, // Allow admins to bypass for emergency fixes | |
| required_pull_request_reviews: { | |
| required_approving_review_count: 1, | |
| dismiss_stale_reviews: true, | |
| require_code_owner_reviews: false, | |
| require_last_push_approval: false | |
| }, | |
| restrictions: null, // No user/team restrictions | |
| allow_force_pushes: false, | |
| allow_deletions: false, | |
| block_creations: false, | |
| required_conversation_resolution: true, | |
| lock_branch: false, | |
| allow_fork_syncing: true | |
| }; | |
| try { | |
| await github.rest.repos.updateBranchProtection({ | |
| owner, | |
| repo, | |
| branch: 'main', | |
| ...mainProtection | |
| }); | |
| console.log('✅ Main branch protection rules updated successfully'); | |
| } catch (error) { | |
| console.error('❌ Failed to update main branch protection:', error.message); | |
| // Don't fail the workflow if branch protection can't be set | |
| // This might happen due to permissions or repository settings | |
| } | |
| // Develop branch protection rules (if it exists) | |
| try { | |
| await github.rest.repos.getBranch({ | |
| owner, | |
| repo, | |
| branch: 'develop' | |
| }); | |
| const developProtection = { | |
| required_status_checks: { | |
| strict: true, | |
| contexts: [ | |
| 'test (20.x)', | |
| 'security', | |
| 'code-quality' | |
| ] | |
| }, | |
| enforce_admins: false, | |
| required_pull_request_reviews: { | |
| required_approving_review_count: 1, | |
| dismiss_stale_reviews: false, | |
| require_code_owner_reviews: false | |
| }, | |
| restrictions: null, | |
| allow_force_pushes: false, | |
| allow_deletions: false | |
| }; | |
| await github.rest.repos.updateBranchProtection({ | |
| owner, | |
| repo, | |
| branch: 'develop', | |
| ...developProtection | |
| }); | |
| console.log('✅ Develop branch protection rules updated successfully'); | |
| } catch (error) { | |
| if (error.status === 404) { | |
| console.log('ℹ️ Develop branch does not exist, skipping protection setup'); | |
| } else { | |
| console.error('❌ Failed to update develop branch protection:', error.message); | |
| } | |
| } |