Skip to content

branchprotector: remove protection from excluded branches #478

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

branchprotector: remove protection from excluded branches #478

wants to merge 1 commit into from
+41 −0

Conversation

kaovilai
Copy link

Fix issue where excluded branches retain existing protection instead of being removed.

When a branch is added to the exclude list in branchprotector configuration, the tool
correctly stops applying new protection rules but does not remove existing protection
from branches that were previously protected.

This change adds logic to detect excluded branches that are currently protected and
queue them for removal by sending requirements with Request: nil, which triggers
RemoveBranchProtection() in the configureBranches() function.

The fix prevents push failures like:
remote: error: GH006: Protected branch update failed for refs/heads/konflux-branch
remote: - Changes must be made through a pull request.

Changes:

  • Add detection logic for excluded protected branches in UpdateRepo()
  • Send removal requests (Request: nil) for such branches
  • Update tests to expect removal requests for excluded protected branches
  • Add code comment explaining the call flow to RemoveBranchProtection

Fixes #477

@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 16, 2025
@netlify Netlify
Copy link

netlify bot commented Jun 16, 2025
edited
Loading

Deploy Preview for k8s-prow ready!

Name Link
🔨 Latest commit f1b83a2
🔍 Latest deploy log https://app.netlify.com/projects/k8s-prow/deploys/685018916d61cf000879fd38
😎 Deploy Preview https://deploy-preview-478--k8s-prow.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@kaovilai
branchprotector: remove protection from excluded branches
f1b83a2 
Fix issue where excluded branches retain existing protection instead of being removed.

When a branch is added to the exclude list in branchprotector configuration, the tool
correctly stops applying new protection rules but does not remove existing protection
from branches that were previously protected.

This change adds logic to detect excluded branches that are currently protected and
queue them for removal by sending requirements with Request: nil, which triggers
RemoveBranchProtection() in the configureBranches() function.

The fix prevents push failures like:
  remote: error: GH006: Protected branch update failed for refs/heads/konflux-branch
  remote: - Changes must be made through a pull request.

Changes:
- Add detection logic for excluded protected branches in UpdateRepo()
- Send removal requests (Request: nil) for such branches
- Update tests to expect removal requests for excluded protected branches
- Add code comment explaining the call flow to RemoveBranchProtection

Fixes kubernetes-sigs#477

Signed-off-by: Tiger Kaovilai <passawit.kaovilai@gmail.com>
@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Jun 16, 2025
@kaovilai kaovilai force-pushed the fix-excluded-branch-protection-removal branch from 2f7aa72 to f1b83a2 Compare June 16, 2025 13:13
@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Jun 16, 2025
@k8s-ci-robot
Copy link
Contributor

Hi @kaovilai. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: kaovilai
Once this PR has been reviewed and has the lgtm label, please assign petr-muller for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot requested a review from droslean June 16, 2025 13:13
@k8s-ci-robot k8s-ci-robot added the area/branchprotector Issues or PRs related to prow's branchprotector component label Jun 16, 2025
@k8s-ci-robot k8s-ci-robot requested a review from petr-muller June 16, 2025 13:13
@k8s-ci-robot k8s-ci-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Jun 16, 2025
@kaovilai kaovilai marked this pull request as ready for review June 16, 2025 13:14
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 16, 2025
@k8s-ci-robot k8s-ci-robot requested a review from matthyx June 16, 2025 13:14
@petr-muller
Copy link
Contributor

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jun 16, 2025
Prucek
Prucek reviewed Jun 17, 2025
View reviewed changes
cmd/branchprotector/protect.go
@@ -346,6 +348,27 @@ func (p *protector) UpdateRepo(orgName string, repoName string, repo config.Repo
}
}

// Handle excluded branches that are currently protected and need removal
if branchExclusions != nil {
seen := make(map[string]bool)
Copy link
Member

@Prucek Prucek Jun 17, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this map needed?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Problem

The allBranches slice can contain duplicate entries for the same branch because it's populated from two separate API calls:

  for _, onlyProtected := range []bool{false, true} { // runs twice
      bs, err := p.client.GetBranches(orgName, repoName, onlyProtected)
      allBranches = append(allBranches, bs...) // can add same branch twice
  }

Without Deduplication

If a branch like konflux-test appears in both API responses, we would send two removal requests:

  1. First iteration: {Org: "org", Repo: "repo", Branch: "konflux-test", Request: nil}
  2. Second iteration: {Org: "org", Repo: "repo", Branch: "konflux-test", Request: nil}

With seen Map

  if b.Protected && branchExclusions.MatchString(b.Name) && !seen[b.Name] {
      seen[b.Name] = true  // Mark as processed
      // Send removal request only once
  }

The seen map ensures each excluded protected branch gets exactly one removal request, regardless of how many times it appears in allBranches.

This prevents:

  • Duplicate API calls to GitHub
  • Confusing log messages
  • Potential race conditions in the removal process

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps if p.client.GetBranches(orgName, repoName, false) return all branches we can initialize allBranches once.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

okay, get it. Thanks!

@Prucek
Copy link
Member

Prucek commented Jun 18, 2025

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 18, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Prucek Prucek Prucek left review comments

@droslean droslean Awaiting requested review from droslean

@petr-muller petr-muller Awaiting requested review from petr-muller

@matthyx matthyx Awaiting requested review from matthyx

Assignees

@Prucek Prucek

Labels
area/branchprotector Issues or PRs related to prow's branchprotector component cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

branchprotector: excluded branches retain existing protection instead of being removed
4 participants
@kaovilai @k8s-ci-robot @petr-muller @Prucek