lock-release.yml: Use legacy branch protection instead of rulesets

[siddharthkp]

Problem

If the main branch is locked by rulesets, enabling auto merge on a pull request says it will be merged. But it's not merged when the main branch is unlocked.

This is because auto merge is not reevaluated when the rule set changes.

• https://github.com/github/pull-requests/issues/23573

Solution

Moved the lock-release workflow to legacy branch protection instead of rulesets because auto-merge still works with branch protection.

Tested the workflow by running from this branch

• lock creates a branch protection rule that locks main with react-release-conductor as exception
• unlocking deletes the branch protection rule
• if release conductor exception works with lock_branch: true
• auto merge works (tested this on a different repo, not in primer/react yet)

Classic branch protection does not use "bypass", so I had to give write access to the release conductor role, which feels okay because they already do.

[changeset-bot]

⚠️ No Changeset found

Latest commit: a8e5834

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[Copilot]

Pull request overview

Updates the release-lock GitHub Actions workflow to lock/unlock the main branch by calling the Branch Protection API, aiming to prevent merges during releases while fixing prior API validation issues.

Changes:

• Replace prior ruleset toggling with PUT /branches/main/protection calls using JSON --input.
• Lock main via lock_branch: true and configure push restrictions for the react-release-conductor team.
• Unlock main via lock_branch: false and remove restrictions via restrictions: null.

Comments suppressed due to low confidence (1)

.github/workflows/lock-release.yml:83

• The unlock step also sends required_status_checks: null, required_pull_request_reviews: null, and enforce_admins: false, which will leave main with weakened/disabled protection settings after the release lock is removed. If the intent is to only unlock the branch, this should restore (or preserve) the repo’s pre-existing protection settings rather than resetting them to null/false.

            /repos/primer/react/branches/main/protection \
            --input - <<EOF
          {
            "lock_branch": false,
            "restrictions": null,
            "required_status_checks": null,
            "enforce_admins": false,
            "required_pull_request_reviews": null
          }

[Copilot]

This PUT /branches/main/protection payload explicitly sets required_status_checks and required_pull_request_reviews to null, which disables those protections (and because this is a full update, it can overwrite the branch’s existing protection configuration). If main currently relies on required checks/reviews, running the lock will unintentionally turn them off. Consider fetching the current protection config first and re-sending it with only lock_branch/restrictions adjusted (or otherwise preserving the existing required checks/review settings).

This issue also appears on line 75 of the same file.

[liuliu-dev]

thank you! ❤️