Apply RFC0015 branch protection by default

rkoster · rkoster · commit c036efc08dad · 2025-06-24T14:37:44.000+02:00
diff --git a/orgs/org_management.py b/orgs/org_management.py
@@ -192,18 +192,17 @@ def generate_teams(self):
 
     def generate_branch_protection(self):
         # basis is static config in self.branch_protection which is never overwritten
-        # generate RFC0015 branch protection rules for every WG+TOC that opted in
+        # generate RFC0015 branch protection rules for every WG+TOC by default
         for org in OrgGenerator._MANAGED_ORGS:
             branch_protection_repos = self.branch_protection["branch-protection"]["orgs"][org]["repos"]
             wgs = self.working_groups[org]
             if org == self.toc["org"]:
                 wgs.append(self.toc)
             for wg in wgs:
-                if wg.get("config", {}).get("generate_rfc0015_branch_protection_rules", False):  # config is optional
-                    repo_rules = self._generate_wg_branch_protection(wg)
-                    for repo in repo_rules:
-                        if repo not in branch_protection_repos:
-                            branch_protection_repos[repo] = repo_rules[repo]
+                repo_rules = self._generate_wg_branch_protection(wg)
+                for repo in repo_rules:
+                    if repo not in branch_protection_repos:
+                        branch_protection_repos[repo] = repo_rules[repo]
 
     def write_org_config(self, path: str):
         print(f"Writing org configuration to {path}")
diff --git a/toc/rfc/rfc-0015-branch-protection.md b/toc/rfc/rfc-0015-branch-protection.md
@@ -37,3 +37,11 @@ With respect to the approval of pull requests, we propose that the number of app
 * 1 approval will be required when a working group has 4 or more people in the approver role.
 
 The automation should allow to override the standard branch protection per respository using a configuration file maintained in this community repository. This allows working group leads e.g. to reduce the number of required approvals if several approvers are temporarily not available.
+
+## Amendments
+
+### Protection by Default
+
+To improve the security posture of the foundation, the branch protection rules defined in this RFC are applied by default to all repositories of all Working Groups. The previous opt-in mechanism via a flag in Working Group charters is removed.
+
+Working Groups can request exceptions for specific repositories by creating a pull request against `orgs/branchprotection.yml`. The pull request description MUST contain a justification for the exception.
diff --git a/toc/working-groups/app-runtime-deployments.md b/toc/working-groups/app-runtime-deployments.md
@@ -79,6 +79,4 @@ areas:
   - cloudfoundry/relint-team
   - cloudfoundry/runtime-ci
   - cloudfoundry/uptimer
-config:
-  generate_rfc0015_branch_protection_rules: true
 ```
diff --git a/toc/working-groups/app-runtime-interfaces.md b/toc/working-groups/app-runtime-interfaces.md
@@ -522,7 +522,4 @@ areas:
   repositories:
   - cloudfoundry/stratos
   - cloudfoundry/stratos-buildpack
-
-config:
-  generate_rfc0015_branch_protection_rules: true
 ```
diff --git a/toc/working-groups/app-runtime-platform.md b/toc/working-groups/app-runtime-platform.md
@@ -54,7 +54,6 @@ bots:
 - name: Cryogenics CI bot
   github: Cryogenics-CI
 config:
-  generate_rfc0015_branch_protection_rules: true
   github_project_sync:
     mapping:
       cloudfoundry: 41
diff --git a/toc/working-groups/cf-on-k8s.md b/toc/working-groups/cf-on-k8s.md
@@ -38,8 +38,6 @@ technical_leads:
 bots:
 - name: korifi-bot
   github: korifi-bot
-config:
-  generate_rfc0015_branch_protection_rules: true
 areas:
 - name: Korifi
   approvers:
