On Wed, Nov 12, 2025 at 2:43 AM Piotr P. Karwasz <[email protected]> wrote: > > Hi all, > > On 5.11.2025 20:38, Piotr P. Karwasz wrote: > > As you can see, there are currently no branch protection rules on the > > main branches of Commons repositories. > > > > I’d like to propose adding branch protection rules to `master` to: > > > > - prevent force pushes (like the test above), and > > - prevent branch deletion (this may already be enforced on the GitBox > > side, but I haven’t tested). > > > > In `.asf.yaml` [1], these rules are defined as: > > > > github: > > protected_branches: > > master: { } > > > > Any objections? I think enabling this basic protection is an important > > safeguard for all Commons projects.
If the _only_ thing this does is prevent "git --force" on only the master branch, then it seems OK, but for completeness, what are the cons? What about --force-with-lease? I assume this would be blocked as well? There should be zero automatic merging IMO, so -1 to that. We don't need to think of the hint of a possibility of a supply chain attack, and who knows what else. Gary > > > I’m not sure if the lack of replies means tacit agreement or if my > previous message got missed. Are there any objections to introducing the > above rules? > > They only prevent deletion and force pushes on the `master` branch. > > I’d also appreciate your thoughts on the additional, optional rules below: > > > > github: > > protected_branches: > > contexts: > > - context: build (ubuntu-latest, 25, false) > > app: github-actions > > - context: CodeQL > > app: github-advanced-security > > pull_requests: > > allow_auto_merge: true > > > This configuration enables GitHub’s *auto-merge* feature, allowing PRs > to be merged automatically once all required CI checks succeed. > > It also prevents merging (through GitHub) PRs if any of the explicitly > listed workflows fail, but that is something you might expect from a PR. > > Additional useful options include: > > - allow_update_branch: adds an “Update branch” button, making it easy to > rebase a PR branch onto `master` after fixes or build updates have been > pushed. > > - del_branch_on_merge: automatically deletes a PR branch after it has > been merged, removing one extra step for committers. > > Piotr > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
