-
Notifications
You must be signed in to change notification settings - Fork 17.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
github: branch protections #59048
Comments
I think another option is set a branch protection rule for all branches (*), and use BTW even when a PR or commit is accidentally merged, I've seen the next gitmirror force push and sync with the upstream. |
I've applied branch protections to the main Go repository. Any others you'd like locked down? |
We can do all golang.org/x GitHub mirrors too (and the special case without x, golang.org/dl). At least I can't think of a downside to treating them the same as the main Go repo mirror for the purpose of this issue. That'll leave various non-mirror repos or less clear cases (e.g. protobuf, leveldb, cwg, go-get-issue-15410, etc.). |
I mostly just don't want to do it manually. Seems like there's no CLI, you have to use graphql: I assume that the overwhelming majority of PRs go to the main repo, so I think this is done enough, personally. If someone wants to figure out the graphql I'm happy to run it as an admin. |
This should do it, I tested it on a few of my repos: package main
import (
"context"
"flag"
"log"
"os"
"github.com/google/go-github/v53/github"
"golang.org/x/oauth2"
)
func main() {
var repos []string
flag.Func("r", "", func(s string) error {
repos = append(repos, s)
return nil
})
flag.Parse()
ctx := context.Background()
ts := oauth2.StaticTokenSource(
&oauth2.Token{AccessToken: os.Getenv("GH_TOKEN")},
)
tc := oauth2.NewClient(ctx, ts)
client := github.NewClient(tc)
for _, repo := range repos {
log.Println("setting branch protection for", repo)
_, _, err := client.Repositories.UpdateBranchProtection(ctx, "golang", repo, "master", &github.ProtectionRequest{
RequiredPullRequestReviews: &github.PullRequestReviewsEnforcementRequest{
RequireCodeOwnerReviews: true,
RequiredApprovingReviewCount: 1,
},
})
if err != nil {
log.Println("error updating branch protections for", repo, err)
continue
}
log.Println("set branch protection for", repo)
}
} The list of public repos for the golang org is (I'm not sure if all of them should have this set?)
|
Sorry for the slow response. For the repos in question which are just Gerrit mirrors, only GopherBot should be able to push to them. So this is the (only) rule I applied: Is it easy to update the script to do that? |
I think this should work package main
import (
"context"
"flag"
"log"
"os"
"github.com/google/go-github/v53/github"
"golang.org/x/oauth2"
)
func main() {
var repos []string
flag.Func("r", "", func(s string) error {
repos = append(repos, s)
return nil
})
flag.Parse()
ctx := context.Background()
ts := oauth2.StaticTokenSource(
&oauth2.Token{AccessToken: os.Getenv("GH_TOKEN")},
)
tc := oauth2.NewClient(ctx, ts)
client := github.NewClient(tc)
for _, repo := range repos {
log.Println("setting branch protection for", repo)
_, _, err := client.Repositories.UpdateBranchProtection(ctx, "golang", repo, "master", &github.ProtectionRequest{
Restrictions: &github.BranchRestrictionsRequest{
Users: []string{"gopherbot"},
Teams: []string{},
Apps: []string{},
},
})
if err != nil {
log.Println("error updating branch protections for", repo, err)
continue
}
log.Println("set branch protection for", repo)
}
} |
Maybe I'm missing something, but arch is a real repo and the request seems appropriate based on the API docs. (Also I'd like to set it on all branches, but that really does require graphql apparently...) |
As someone in the "go-approvers" github group, I'm always slightly concerned about accidentally pressing the "Merge Pull Request" button when going through PRs.
Can we have branch protection to disable the button by default?
I believe matching the
master
branch withRequire a pull request before merging
with sub-optionsRequire approvals
andRequire review from Code Owners
will be sufficient to prevent accidental presses.There's also a
Lock branch
option, though I'm unsure how it'll interact with the sync from upstream.cc @golang/release
The text was updated successfully, but these errors were encountered: