Switch nixpkgs to branch protection rulesets

[wolfgangwalther]

This PR is not necessarily intended to be merged*. It targets #120, but discussing code in a Pull Request is easier than in an issue. Those files are supposed to be imported into the nixpkgs branch protection rulesets section.

Those files have been created in my fork and were then exported. The only modification I made manually is in the bypass_actors section. Since I can't have any teams in my personal fork, I added those manually. Hopefully that works, it should according to API docs etc.

The Team ID's can be verified with:

gh api /orgs/NixOS/teams/channel-updaters

gh api /orgs/NixOS/teams/nixos-release-managers

The general structure is different compared to the classic branch protection rules, because the features are slightly different. The new rulesets can only define bypassers for the whole ruleset, not for some of the rules in it. Thus, the different rules must be separated to replicate the status-quo.

AFAICT, this should replicate the status-quo exactly. Of course, careful review is required.

@infinisil

---

*If, however, we want to document those rules here, then they should be re-exported after import.

[infinisil]

Thank you! I've reviewed this and can confirm that this should match the status quo!

Since I'm pretty sure we can run both rulesets and branch protections simultaneously, I'll go ahead and import these right now (while doing another sanity check before saving). I'll update the PR with the exported ones then.

After that, let's do a brief check before getting another approval from an org admin to turn off branch protections.

[infinisil]

@wolfgangwalther The only notable difference after importing is this. Do you know what that's about?

[wolfgangwalther]

The only notable difference after importing is this. Do you know what that's about?

Hrhr... false is the default here and I don't think I changed it. I do remember, that I clicked on the "Hide additional settings" button in the "restrict updates" section. Maybe that caused it to be saved differently for me somehow, aka saving the default explicitly?

Edit: To clarify, because the name is misleading, it's this setting:

Allow fork syncing
Branch can pull changes from its upstream repository

(you can see the id via devtools)

[infinisil]

Ah I see, there's no additional settings for organisations!

I invited you to my https://github.com/orgs/Infinisil-s-Test-Organization in case you want to mess around with org settings and don't want to create your own test org.

[wolfgangwalther]

Of course, that makes sense. Maybe not because it's in an organization, but because the original is not a fork, so the setting doesn't make sense.

[wolfgangwalther]

I added a simple README to the rulesets/ folder and an export.bash script that makes it simpler to do the export. The export via the API will contain a few new fields, could you run it once, @infinisil? I can't do it, because the bypass_actors field is not available for non-owners.

The latter is also an argument why to keep the exports checked into the repo. The rules might be visible for everyone through the branches tab in the repos, but this does not contain the bypassing actors.

[zimbatm]

nice, thanks for helping make the project more transparent

[wolfgangwalther]

getting another approval from an org admin to turn off branch protections.

I think we can do that now.

Once this is merged, I can create PRs to propose actual changes to the branch protection rules.

[infinisil]

Deleted the branch protections now, so we only rely on rulesets now!