[
https://issues.apache.org/jira/browse/FINERACT-2605?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18080772#comment-18080772
]
Adam Monsen edited comment on FINERACT-2605 at 5/13/26 9:01 PM:
----------------------------------------------------------------
The ASF should start sending pull requests soon.
To understand this process and ensure a smooth transition, I updated
{{.asf.yaml}} for {{{}apache/fineract{}}} today, replacing
{{protected_branches}} with {{rulesets}} (this is part of the ASF
recommendation).
Commits:
[1|https://github.com/apache/fineract/commit/d63a61761033d1a7b6e4caa935ed675f8c843356],
[2|https://github.com/apache/fineract/commit/6ee03b14b568d9ba8e745861cc117042e0c21b93],
[3|https://github.com/apache/fineract/commit/db7f6708a9614ced15a741935863a40b5935c945],
[4|https://github.com/apache/fineract/commit/31a1036686b8b5d1113b457cd546a648aa970497].
Initially this caused [a
problem|https://lists.apache.org/thread/ydxz4n6lrlm2cfb2v6o7m5m6sxl5z3c6]:
{quote}An error occurred while processing the github feature in .asf.yaml:
Validation failed while creating ruleset 'Branch Protection': Invalid request.
Invalid property /rules/3: data matches no possible input. See
`documentation_url`.
{quote}
Ultimately this came down to a difference in [how {{rulesets}} is
transformed|https://github.com/apache/infrastructure-asfyaml/blob/49a86604544bd82e8264de9d8188ed3a5572e05b/asfyaml/feature/github/rulesets.py#L327]
into a [GitHub API
call|https://docs.github.com/en/rest/repos/rules?apiVersion=2026-03-10#create-a-repository-ruleset],
and it forces a difference in our workflow:
Before: commits directly to develop were allowed. If a PR is used, all
conversations in that PR must be resolved.
After: commits directly to develop are not allowed. All changes must come from
PRs.
That might be what we want, but I want to run it by (at least) the PMC first.
With {{{}protected_branches{}}}, {{required_conversation_resolution: true}} was
allowed without setting any other restrictions on pull requests.
With {{{}rulesets{}}}, the final {{pull_request}} object in the JSON sent to
the GitHub API is generated differently, so a {{required_pull_request_reviews}}
mapping must also be set in the {{.asf.yaml}} or required parameters are
missing when the call is made against GitHub's API.
was (Author: meonkeys):
The ASF should start sending pull requests soon.
To understand this process and ensure a smooth transition, I updated
{{.asf.yaml}} for {{{}apache/fineract{}}}, replacing {{protected_branches}}
with {{rulesets}} (this is part of the ASF recommendation).
Commits:
[1|https://github.com/apache/fineract/commit/d63a61761033d1a7b6e4caa935ed675f8c843356],
[2|https://github.com/apache/fineract/commit/6ee03b14b568d9ba8e745861cc117042e0c21b93],
[3|https://github.com/apache/fineract/commit/db7f6708a9614ced15a741935863a40b5935c945],
[4|https://github.com/apache/fineract/commit/31a1036686b8b5d1113b457cd546a648aa970497].
Initially this caused [a
problem|https://lists.apache.org/thread/ydxz4n6lrlm2cfb2v6o7m5m6sxl5z3c6]:
{quote}An error occurred while processing the github feature in .asf.yaml:
Validation failed while creating ruleset 'Branch Protection': Invalid request.
Invalid property /rules/3: data matches no possible input. See
`documentation_url`.
{quote}
Ultimately this came down to a difference in [how {{rulesets}} is
transformed|https://github.com/apache/infrastructure-asfyaml/blob/49a86604544bd82e8264de9d8188ed3a5572e05b/asfyaml/feature/github/rulesets.py#L327]
into a [GitHub API
call|https://docs.github.com/en/rest/repos/rules?apiVersion=2026-03-10#create-a-repository-ruleset],
and it forces a difference in our workflow:
Before: commits directly to develop were allowed. If a PR is used, all
conversations in that PR must be resolved.
After: commits directly to develop are not allowed. All changes must come from
PRs.
That might be what we want, but I want to run it by (at least) the PMC first.
With {{{}protected_branches{}}}, {{required_conversation_resolution: true}} was
allowed without setting any other restrictions on pull requests.
With {{{}rulesets{}}}, the final {{pull_request}} object in the JSON sent to
the GitHub API is generated differently, so a {{required_pull_request_reviews}}
mapping must also be set in the {{.asf.yaml}} or required parameters are
missing when the call is made against GitHub's API.
> improve protection for important branches
> -----------------------------------------
>
> Key: FINERACT-2605
> URL: https://issues.apache.org/jira/browse/FINERACT-2605
> Project: Apache Fineract
> Issue Type: Task
> Components: Build
> Reporter: Adam Monsen
> Priority: Major
> Fix For: 1.15.0
>
>
> The ASF recommends protecting our default branch and any important branches
> by preventing branch delete and force push operations. I believe this
> recommendation fits well within our existing best practice / policy /
> workflow (although, full transparency, I'm not sure how much of all that we
> follow is written down). We can adopt and codify the ASF's recommendation
> with changes to our {{.asf.yaml}} files. First and foremost is the one in the
> {{apache/fineract}} repo, but we have other repositories as well that would
> benefit from similar protections.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
