Skip to content

Revert "lock-release.yml: Use legacy branch protection instead of rulesets"#7719

Merged
siddharthkp merged 1 commit intomainfrom
revert-7705-fix-lock-release-workflow
Mar 30, 2026
Merged

Revert "lock-release.yml: Use legacy branch protection instead of rulesets"#7719
siddharthkp merged 1 commit intomainfrom
revert-7705-fix-lock-release-workflow

Conversation

@siddharthkp
Copy link
Copy Markdown
Member

@siddharthkp siddharthkp commented Mar 30, 2026

@siddharthkp siddharthkp requested a review from a team as a code owner March 30, 2026 20:52
@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented Mar 30, 2026

⚠️ No Changeset found

Latest commit: 86cee25

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@siddharthkp siddharthkp requested a review from liuliu-dev March 30, 2026 20:53
@github-actions github-actions Bot added the staff Author is a staff member label Mar 30, 2026
@siddharthkp siddharthkp self-assigned this Mar 30, 2026
@siddharthkp siddharthkp added skip changeset This change does not need a changelog integration-tests: skipped manually Changes in this PR do not require an integration test and removed staff Author is a staff member labels Mar 30, 2026
@siddharthkp siddharthkp enabled auto-merge March 30, 2026 20:53
Copilot AI reviewed Mar 30, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR reverts a previous change to the release lock automation workflow, switching it back to toggling GitHub rulesets (rather than legacy branch protection) and adding additional unlock-time maintenance for eligible auto-merge PRs.

Changes:

  • Update the lock/unlock workflow to modify repository rulesets via gh api (including bypass actors and enforcement toggling).
  • Add an unlock step that updates branches for open, approved PRs with auto-merge enabled targeting main.
Comments suppressed due to low confidence (1)

.github/workflows/lock-release.yml:83

  • gh pr list -L 100 will only update the first 100 matching PRs; if there are more approved auto-merge PRs targeting main, the rest will be skipped. Consider increasing the limit or paging so the unlock step updates all eligible PRs reliably.
          PR_NUMBERS=$(gh pr list -L 100 -R primer/react --state open --json number,baseRefName,autoMergeRequest,reviewDecision -q '.[] | select(.autoMergeRequest != null) | select(.baseRefName == "main") | select(.reviewDecision == "APPROVED") | .number')

Comment thread .github/workflows/lock-release.yml
Comment on lines +32 to +42
- name: Toggle rulesets
run: |
# Lock main but allow react-release-conductor team to push
# Allow react-release-conductor to bypass merge queue
gh api \
--method PUT \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
/repos/primer/react/branches/main/protection \
--input - <<EOF
{
"lock_branch": true,
"restrictions": {
"teams": ["react-release-conductor"],
"users": []
},
"required_status_checks": null,
"enforce_admins": true,
"required_pull_request_reviews": null
}
EOF
/repos/primer/react/rulesets/4089335 \
-F "bypass_actors[][actor_id]=12276524" \
-f "bypass_actors[][actor_type]=Team" \
-f "bypass_actors[][bypass_mode]=always"
Copy link

Copilot AI Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description says the previous ruleset-based approach was reverted because bypass exceptions for release conductor do not work, but this change reintroduces ruleset bypass configuration. Can you clarify the intended behavior (rulesets vs legacy branch protection) and update either the workflow or PR description so they match?

Copilot uses AI. Check for mistakes.
Comment thread .github/workflows/lock-release.yml
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
/repos/primer/react/rulesets/4089335 \
-F "bypass_actors[]"
Copy link

Copilot AI Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

-F "bypass_actors[]" is unlikely to clear the ruleset bypass list (it may serialize as an empty element rather than an empty array, or be rejected by the API schema). Use an explicit empty array payload for bypass_actors so the unlock step reliably removes the bypass actors.

Suggested change
-F "bypass_actors[]"
-f "bypass_actors=[]"

Copilot uses AI. Check for mistakes.
Comment thread .github/workflows/lock-release.yml
Comment on lines 35 to +48
gh api \
--method PUT \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
/repos/primer/react/branches/main/protection \
--input - <<EOF
{
"lock_branch": true,
"restrictions": {
"teams": ["react-release-conductor"],
"users": []
},
"required_status_checks": null,
"enforce_admins": true,
"required_pull_request_reviews": null
}
EOF
/repos/primer/react/rulesets/4089335 \
-F "bypass_actors[][actor_id]=12276524" \
-f "bypass_actors[][actor_type]=Team" \
-f "bypass_actors[][bypass_mode]=always"
gh api \
--method PUT \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
/repos/primer/react/rulesets/3801256 \
-f "enforcement=active"
Copy link

Copilot AI Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This workflow hard-codes ruleset IDs (4089335/3801256) and a team actor_id (12276524). If a ruleset is recreated or the team ID changes, the lock/unlock automation will silently break. Consider moving these to repository variables/secrets and/or looking up the ruleset/team by name at runtime before calling gh api.

This issue also appears on line 83 of the same file.

Copilot uses AI. Check for mistakes.
@siddharthkp siddharthkp disabled auto-merge March 30, 2026 20:57
@siddharthkp siddharthkp enabled auto-merge March 30, 2026 20:57
@siddharthkp siddharthkp added this pull request to the merge queue Mar 30, 2026
Merged via the queue into main with commit 26c9fb5 Mar 30, 2026
78 of 80 checks passed
@siddharthkp siddharthkp deleted the revert-7705-fix-lock-release-workflow branch March 30, 2026 21:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@liuliu-dev liuliu-dev liuliu-dev approved these changes

@llastflowers llastflowers Awaiting requested review from llastflowers llastflowers is a code owner automatically assigned from primer/engineer-reviewers

Assignees

@siddharthkp siddharthkp

Labels

integration-tests: skipped manually Changes in this PR do not require an integration test skip changeset This change does not need a changelog

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@siddharthkp @liuliu-dev