-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
protect main branch with .asf.yaml config #3285
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we add 3.x branche(s) here too, or that should be a separate commit on the 3.x branch?
@nickva my reading of the Apache docs are that although .asy.yaml is branch specific, configuration the pertains to branch protection needs to be in the default (main) branch. So If you want additional branches protected, they need adding to this PR. |
@glynnbird ah makes sense, metadata about protected branches would be in the main branch. Let's add 3.x to the list of branches then. |
.asf.yaml
Outdated
@@ -21,6 +21,8 @@ github: | |||
squash: true | |||
rebase: true | |||
merge: true | |||
protected_branches: | |||
main |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The referenced https://cwiki.apache.org/confluence/display/INFRA/git+-+.asf.yaml+features#Git.asf.yamlfeatures-BranchProtection is telling me
All protected branches in the YAML must be dictionary entries. Thus, if you only want to disable force push from a branch, you can construct a fake dictionary like so:
main | |
main: {} |
I agree with @bessbd 's analysis of the documentation. But I'm wondering -- should we be availing ourselves of some of the more specific branch protection features? I honestly thought we had several of those setup in the olden days. Maybe @wohali remembers the requirements we put in place? It looks like the set of options for a branch is as follows:
|
@kocolosk Yeah, we'd want to block commits to any release-able branch (main, 3.x, etc.) for anything that didn't pass, with some sort of 'emergency bypass' to deal with broken CI - sometimes in the past we had to talk to Infra to help with this, but it should be pretty rare. Haven't dug into these other (newer?) .asf.yaml features, sorry. |
The intent here is to require "branch must be up to date before merge / squash / rebase", and to further require a clean bill of health from Jenkins for `main` and `3.x`. I'm not so confident about the CI health of older branches to enable that protection there, and at any rate it's unlikely we'd be committing anything to those branches anyway.
As far as I can tell "emergency bypass" is still an Infra action:
I updated this PR to (I think) require up-to-date branches before merging, and further require Jenkins to be green for |
Overview
Added to
.asf.yaml
to protect the main branch and, by omission, unprotect the master branch.See https://cwiki.apache.org/confluence/display/INFRA/git+-+.asf.yaml+features#git.asf.yamlfeatures-BranchProtection
Testing recommendations
No code changes. Ensure after merge that the master branch is unprotected and the main branch is protected.
Related Issues or Pull Requests
n/a
Checklist
rel/overlay/etc/default.ini