From 1d3b2262f4872f853e7ca9b48c6d091826d37df2 Mon Sep 17 00:00:00 2001
From: Siddharth Kshetrapal <siddharthkp@github.com>
Date: Thu, 26 Mar 2026 12:05:38 +0100
Subject: [PATCH 1/3] Fix lock-release workflow: use lock_branch and proper
 JSON format

---
 .github/workflows/lock-release.yml | 61 +++++++++++++-----------------
 1 file changed, 27 insertions(+), 34 deletions(-)

diff --git a/.github/workflows/lock-release.yml b/.github/workflows/lock-release.yml
index 8b02e74b97b..fb88a1e9167 100644
--- a/.github/workflows/lock-release.yml
+++ b/.github/workflows/lock-release.yml
@@ -29,23 +29,26 @@ jobs:
           owner: primer
           repositories: react
           private-key: ${{ secrets.PRIMER_APP_PRIVATE_KEY_SHARED }}
-      - name: Toggle rulesets
+      - name: Lock main branch
         run: |
-          # Allow react-release-conductor to bypass merge queue
+          # Lock main but allow react-release-conductor team to push
           gh api \
             --method PUT \
             -H "Accept: application/vnd.github+json" \
             -H "X-GitHub-Api-Version: 2022-11-28" \
-            /repos/primer/react/rulesets/4089335 \
-            -F "bypass_actors[][actor_id]=12276524" \
-            -f "bypass_actors[][actor_type]=Team" \
-            -f "bypass_actors[][bypass_mode]=always"
-          gh api \
-            --method PUT \
-            -H "Accept: application/vnd.github+json" \
-            -H "X-GitHub-Api-Version: 2022-11-28" \
-            /repos/primer/react/rulesets/3801256 \
-            -f "enforcement=active"
+            /repos/primer/react/branches/main/protection \
+            --input - <<EOF
+          {
+            "lock_branch": true,
+            "restrictions": {
+              "teams": ["react-release-conductor"],
+              "users": []
+            },
+            "required_status_checks": null,
+            "enforce_admins": true,
+            "required_pull_request_reviews": null
+          }
+          EOF
         env:
           GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
 
@@ -62,32 +65,22 @@ jobs:
           owner: primer
           repositories: react
           private-key: ${{ secrets.PRIMER_APP_PRIVATE_KEY_SHARED }}
-      - name: Toggle rulesets
+      - name: Unlock main branch
         run: |
+          # Unlock branch and remove push restrictions
           gh api \
             --method PUT \
             -H "Accept: application/vnd.github+json" \
             -H "X-GitHub-Api-Version: 2022-11-28" \
-            /repos/primer/react/rulesets/4089335 \
-            -F "bypass_actors[]"
-          gh api \
-            --method PUT \
-            -H "Accept: application/vnd.github+json" \
-            -H "X-GitHub-Api-Version: 2022-11-28" \
-            /repos/primer/react/rulesets/3801256 \
-            -f "enforcement=disabled"
-        env:
-          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
-      - name: Update all PRs that are toggled merge when ready
-        run: |
-          PR_NUMBERS=$(gh pr list -L 100 -R primer/react --state open --json number,baseRefName,autoMergeRequest,reviewDecision -q '.[] | select(.autoMergeRequest != null) | select(.baseRefName == "main") | select(.reviewDecision == "APPROVED") | .number')
-          if [ -n "$PR_NUMBERS" ]; then
-            echo "Updating $PR_NUMBERS"
-            for pr in $PR_NUMBERS; do
-              gh pr update-branch -R primer/react "$pr" || echo "Warning: failed to update PR #$pr (likely has conflicts)"
-            done
-          else
-            echo "No PRs to update."
-          fi
+            /repos/primer/react/branches/main/protection \
+            --input - <<EOF
+          {
+            "lock_branch": false,
+            "restrictions": null,
+            "required_status_checks": null,
+            "enforce_admins": false,
+            "required_pull_request_reviews": null
+          }
+          EOF
         env:
           GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}

From e30bc86b71dfec622ee484cf057f2b0c315dba7e Mon Sep 17 00:00:00 2001
From: Siddharth Kshetrapal <siddharthkp@github.com>
Date: Thu, 26 Mar 2026 12:12:18 +0100
Subject: [PATCH 2/3] Unlock: delete branch protection instead of updating

---
 .github/workflows/lock-release.yml | 15 +++------------
 1 file changed, 3 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/lock-release.yml b/.github/workflows/lock-release.yml
index fb88a1e9167..11d1fbbaa47 100644
--- a/.github/workflows/lock-release.yml
+++ b/.github/workflows/lock-release.yml
@@ -67,20 +67,11 @@ jobs:
           private-key: ${{ secrets.PRIMER_APP_PRIVATE_KEY_SHARED }}
       - name: Unlock main branch
         run: |
-          # Unlock branch and remove push restrictions
+          # Delete the branch protection rule entirely
           gh api \
-            --method PUT \
+            --method DELETE \
             -H "Accept: application/vnd.github+json" \
             -H "X-GitHub-Api-Version: 2022-11-28" \
-            /repos/primer/react/branches/main/protection \
-            --input - <<EOF
-          {
-            "lock_branch": false,
-            "restrictions": null,
-            "required_status_checks": null,
-            "enforce_admins": false,
-            "required_pull_request_reviews": null
-          }
-          EOF
+            /repos/primer/react/branches/main/protection
         env:
           GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}

From a8e5834e02e653d018b8edbe7f3f88b4c89cbf9f Mon Sep 17 00:00:00 2001
From: Siddharth Kshetrapal <siddharthkp@github.com>
Date: Thu, 26 Mar 2026 12:13:58 +0100
Subject: [PATCH 3/3] Add comment clarifying branch protection vs rulesets

---
 .github/workflows/lock-release.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/lock-release.yml b/.github/workflows/lock-release.yml
index 11d1fbbaa47..29b3a14e7dd 100644
--- a/.github/workflows/lock-release.yml
+++ b/.github/workflows/lock-release.yml
@@ -67,7 +67,9 @@ jobs:
           private-key: ${{ secrets.PRIMER_APP_PRIVATE_KEY_SHARED }}
       - name: Unlock main branch
         run: |
-          # Delete the branch protection rule entirely
+          # Delete the branch protection rule entirely.
+          # Note: This workflow is the only thing using legacy branch protection.
+          # All other branch rules use rulesets, which are unaffected by this delete.
           gh api \
             --method DELETE \
             -H "Accept: application/vnd.github+json" \