diff --git a/.github/repository-settings.md b/.github/repository-settings.md index b2103ad48669..97e9781954b4 100644 --- a/.github/repository-settings.md +++ b/.github/repository-settings.md @@ -23,91 +23,53 @@ settings](https://github.com/open-telemetry/community/blob/main/docs/how-to-conf Read repository contents and packages permissions - Allow GitHub Actions to create and approve pull requests: UNCHECKED -## Rules > Rulesets - -### `main` and release branches - -- Targeted branches: - - `main` - - `release/*` -- Branch rules - - Restrict deletions: CHECKED - - Require a pull request before merging: CHECKED - - Required approvals: 1 - - Require review from Code Owners: CHECKED - - Allowed merge methods: Squash - - Require status checks to pass - - Do not require status checks on creation: CHECKED - - Status checks that are required - - EasyCLA - - `required-status-check` - - `gradle-wrapper-validation` - - Block force pushes: CHECKED - - Require code scanning results: CHECKED - - CodeQL - - Security alerts: High or higher - - Alerts: Errors - -> [!NOTE] -> This repository can't "require linear history" because there is an old merge commit on `main` -> (and so also on the release branches). - -### `cloudfoundry` branch - -- Targeted branches: - - `cloudfoundry` -- Branch rules - - Restrict deletions: CHECKED - - Require linear history: CHECKED - - Require a pull request before merging: CHECKED - - Required approvals: 1 - - Require review from Code Owners: CHECKED - - Allowed merge methods: Squash - - Require status checks to pass - - EasyCLA - - Block force pushes: CHECKED - -### `gh-pages` branch - -- Targeted branches: - - `gh-pages` -- Branch rules - - Restrict deletions: CHECKED - - Require linear history: CHECKED - - Block force pushes: CHECKED - -### Old-style release branches - -- Targeted branches: - - `v0.*` - - `v1.*` -- Branch rules - - Restrict creations: CHECKED - - Restrict updates: CHECKED - - Restrict deletions: CHECKED - -### Restrict branch creation - -- Targeted branches - - Exclude: - - `release/*` - - `renovate/**/*` - - `otelbot/**/*` - - `revert-*/**/*` (these are created when using the GitHub UI to revert a PR) -- Restrict creations: CHECKED - -### Restrict updating tags - -- Targeted tags - - All tags -- Restrict updates: CHECKED -- Restrict deletions: CHECKED - ## Branch protections -### `main`, `release/*`, `cloudfoundry` +The order of branch protection rules +[can be important](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/managing-a-branch-protection-rule#about-branch-protection-rules). +The branch protection rules below should be added before the `**/**` branch protection rule +(this may require deleting the `**/**` rule and recreating it at the end). + +### `main` + +- Require branches to be up to date before merging: UNCHECKED + + (PR jobs take too long, and leaving this unchecked has not been a significant problem) + +- Status checks that are required: + + - EasyCLA + - required-status-check + - gradle-wrapper-validation + - CodeQL + +### `release/*` + +Same settings as above for [`main`](#main). + +### `v0.*` and `v1.*` (old-style release branches) + +- Lock branch: CHECKED + +- Do not allow bypassing the above settings: CHECKED + +### `cloudfoundry` + +Same settings as above for [`main`](#main), +except for the `required-status-check` required status check. + +### `renovate/**/*` and `otelbot/**/*` + +Same settings as +for [`dependabot/**/*`](https://github.com/open-telemetry/community/blob/main/docs/how-to-configure-new-repository.md#branch-protection-rule-dependabot) + +### `gh-pages` + +- Everything UNCHECKED -- Restrict who can push to matching branches: CHECKED + (This branch is currently only used for directly pushing benchmarking results from the + [Nightly overhead benchmark](https://github.com/open-telemetry/opentelemetry-java-instrumentation/actions/workflows/nightly-benchmark-overhead.yml) + job) ## Code security and analysis