stacklok · rdimitrov · Oct 15, 2023 · Oct 10, 2023 · Oct 10, 2023 · Oct 11, 2023
diff --git a/docs/docs/protodocs/proto.md b/docs/docs/protodocs/proto.md
diff --git a/examples/github/profiles/profile.yaml b/examples/github/profiles/profile.yaml
@@ -12,18 +12,6 @@ repository:
   - type: secret_push_protection
     def:
       enabled: true
-  - type: branch_protection
-    params:
-      branch: main
-    def:
-      required_pull_request_reviews:
-        dismiss_stale_reviews: true
-        require_code_owner_reviews: true
-        required_approving_review_count: 1
-      required_linear_history: true
-      allow_force_pushes: false
-      allow_deletions: false
-      allow_fork_syncing: true
   - type: github_actions_allowed
     def:
       allowed_actions: selected
@@ -54,6 +42,70 @@ repository:
     def: {}
   - type: trivy_action_enabled
     def: {}
+  - type: branch_protection_enabled
+    params:
+      branch: main
+    def: {}
+  - type: branch_protection_allow_deletions
+    params:
+      branch: main
+    def:
+      allow_deletions: false
+  - type: branch_protection_allow_force_pushes
+    params:
+      branch: main
+    def:
+      allow_force_pushes: false
+  - type: branch_protection_enforce_admins
+    params:
+      branch: main
+    def:
+      enforce_admins: true
+  - type: branch_protection_lock_branch
+    params:
+      branch: main
+    def:
+      lock_branch: false
+  - type: branch_protection_require_conversation_resolution
+    params:
+      branch: main
+    def:
+      required_conversation_resolution: true
+  - type: branch_protection_require_linear_history
+    params:
+      branch: main
+    def:
+      required_linear_history: true
+  - type: branch_protection_require_pull_request_approving_review_count
+    params:
+      branch: main
+    def:
+      required_approving_review_count: 1
+  - type: branch_protection_require_pull_request_code_owners_review
+    params:
+      branch: main
+    def:
+      require_code_owner_reviews: true
+  - type: branch_protection_require_pull_request_dismiss_stale_reviews
+    params:
+      branch: main
+    def:
+      dismiss_stale_reviews: true
+  - type: branch_protection_require_pull_request_last_push_approval
+    params:
+      branch: main
+    def:
+      require_last_push_approval: true
+  - type: branch_protection_require_pull_requests
+    params:
+      branch: main
+    def:
+      required_pull_request_reviews: true
+  - type: branch_protection_require_signatures
+    params:
+      branch: main
+    def:
+      required_signatures: false
 artifact:
   - type: artifact_signature
     params:

diff --git a/examples/github/rule-types/branch_protection.yaml b/examples/github/rule-types/branch_protection.yaml
diff --git a/examples/github/rule-types/branch_protection_allow_deletions.yaml b/examples/github/rule-types/branch_protection_allow_deletions.yaml
@@ -0,0 +1,61 @@
+---
+version: v1
+type: rule-type
+name: branch_protection_allow_deletions
+context:
+  provider: github
+description: Whether the branch can be deleted
+guidance: |
+  ## Allow users with push access to delete matching branches.
+
+  For more information, see
+  https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule
+def:
+  # Defines the section of the pipeline the rule will appear in.
+  # This will affect the template that is used to render multiple parts
+  # of the rule.
+  in_entity: repository
+  # Defines the schema for parameters that will be passed to the rule
+  param_schema:
+    properties:
+      branch:
+        type: string
+        description: "The name of the branch to check."
+    required:
+      - branch
+  # Defines the schema for writing a rule with this rule being checked
+  rule_schema:
+    properties:
+      allow_deletions:
+        type: boolean
+        description: "Allows deletion of the protected branch by anyone with write access to the repository."
+        default: false
+  # Defines the configuration for ingesting data relevant for the rule
+  ingest:
+    type: rest
+    rest:
+      # This is the path to the data source. Given that this will evaluate
+      # for each repository in the organization, we use a template that
+      # will be evaluated for each repository. The structure to use is the
+      # protobuf structure for the entity that is being evaluated.
+      endpoint: '/repos/{{.Entity.Owner}}/{{.Entity.Name}}/branches/{{ index .Params "branch" }}/protection'
+      # This is the method to use to retrieve the data. It should already default to JSON
+      parse: json
+      fallback:
+        - http_code: 404
+          body: |
+            {"http_status": 404, "message": "Not Protected"}
+  # Defines the configuration for evaluating data ingested against the given policy
+  eval:
+    type: jq
+    jq:
+      - ingested:
+          def: ".allow_deletions.enabled"
+        profile:
+          def: ".allow_deletions"
+  # Defines the configuration for remediating the rule
+  remediate:
+    type: gh_branch_protection
+    gh_branch_protection:
+      patch: |
+        {"allow_deletions":{{ .Profile.allow_deletions }} }
diff --git a/examples/github/rule-types/branch_protection_allow_force_pushes.yaml b/examples/github/rule-types/branch_protection_allow_force_pushes.yaml
@@ -0,0 +1,62 @@
+---
+version: v1
+type: rule-type
+name: branch_protection_allow_force_pushes
+context:
+  provider: github
+description: Whether force pushes are allowed to the branch
+guidance: |
+  ## Permit force pushes for all users with push access.
+
+  For more information, see
+  https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule
+def:
+  # Defines the section of the pipeline the rule will appear in.
+  # This will affect the template that is used to render multiple parts
+  # of the rule.
+  in_entity: repository
+  # Defines the schema for parameters that will be passed to the rule
+  param_schema:
+    properties:
+      branch:
+        type: string
+        description: "The name of the branch to check."
+    required:
+      - branch
+  # Defines the schema for writing a rule with this rule being checked
+  rule_schema:
+    properties:
+      allow_force_pushes:
+        type: boolean
+        description: "Permits force pushes to the protected branch by anyone with write access to the repository."
+    required:
+      - allow_force_pushes
+  # Defines the configuration for ingesting data relevant for the rule
+  ingest:
+    type: rest
+    rest:
+      # This is the path to the data source. Given that this will evaluate
+      # for each repository in the organization, we use a template that
+      # will be evaluated for each repository. The structure to use is the
+      # protobuf structure for the entity that is being evaluated.
+      endpoint: '/repos/{{.Entity.Owner}}/{{.Entity.Name}}/branches/{{ index .Params "branch" }}/protection'
+      # This is the method to use to retrieve the data. It should already default to JSON
+      parse: json
+      fallback:
+        - http_code: 404
+          body: |
+            {"http_status": 404, "message": "Not Protected"}
+  # Defines the configuration for evaluating data ingested against the given policy
+  eval:
+    type: jq
+    jq:
+      - ingested:
+          def: ".allow_force_pushes.enabled"
+        profile:
+          def: ".allow_force_pushes"
+  # Defines the configuration for remediating the rule
+  remediate:
+    type: gh_branch_protection
+    gh_branch_protection:
+      patch: |
+        {"allow_force_pushes":{{ .Profile.allow_force_pushes }} }