feat: [#5] Protect main branch

README.md

@@ -44,3 +44,31 @@ variables:
 | settings_merge_squash | Enable merge request squash |
 | settings_projects | Whether the project tab should be enabled |
 | settings_wiki | Wiki enabled or not |
+
+## testing
+
+- [Install](https://github.com/cli/cli?tab=readme-ov-file#installation) gh cli.
+- Create a read only token.
+- Login: `gh auth login`
+
+https://gist.github.com/duboisf/68fb6e22ac0a2165ca298074f0e3b553
+
+```
+gh api graphql -F repositoryId="MDEwOlJlcG9zaXRvcnkxMTUzMzI5MTE=" -F branchName='master6' -f query='
+ mutation CreateBranchProtectionRule($branchName: String!, $repositoryId: ID!) {
+ createBranchProtectionRule(input: {
+ repositoryId: $repositoryId,
+ pattern: $branchName,requiresApprovingReviews:true, requiredApprovingReviewCount:1
+ requiresCodeOwnerReviews:true, requiresStatusChecks:true,
+ restrictsReviewDismissals:false, allowsDeletions: false
+ allowsForcePushes:false
+ dismissesStaleReviews:true
+ }) {
+ branchProtectionRule {
+ id
+ databaseId
+ }
+ }
+}
+ '
+```

action.yml

@@ -72,3 +72,42 @@ runs:
  - name: enable or disable the 'wiki' tab for ${{ inputs.project }}
  run: gh repo edit ${{ inputs.project }} --enable-wiki=${{ inputs.settings_wiki }}
  shell: bash
+
+ - name: Set GitHub Path
+ run: echo "$GITHUB_ACTION_PATH" >> $GITHUB_PATH
+ shell: bash
+ env:
+ GITHUB_ACTION_PATH: ${{ github.action_path }}
+ - name: protect main branch
+ run: |
+ repositoryId=$(gh repo view --json id -q '.id' "${{ inputs.project }}")
+ echo $repositoryId
+
+ branch_to_be_protected="main"
+ if gh api repos/${{ inputs.project }}/branches/${branch_to_be_protected}/protection; then
+ echo "main branch is protected already. Updating it...";
+ # gh api graphql \
+ # -f query="$(cat ${GITHUB_ACTION_PATH}/update-branch-protection-rule.graphql)" \
+ # -F branchName="${branch_to_be_protected}" \
+ # -F repository="${{ inputs.project }}"
+
+
+ curl \
+ --fail \
+ --verbose \
+ -L \
+ -X PUT \
+ -H "Accept: application/vnd.github+json" \
+ -H "Authorization: Bearer ${GH_TOKEN}" \
+ -H "X-GitHub-Api-Version: 2022-11-28" \
+ --data-binary "@${GITHUB_ACTION_PATH}/update-branch-protection.json" \
+ https://api.github.com/repos/${{ inputs.project }}/branches/${branch_to_be_protected}/protection
+ else
+ echo "main branch not protected. Protecting it...";
+ gh api graphql \
+ -f query="$(cat ${GITHUB_ACTION_PATH}/create-branch-protection-rule.graphql)" \
+ -F branchName="${branch_to_be_protected}" \
+ -F repository="${{ inputs.project }}"
+ fi
+
+ shell: bash

create-branch-protection-rule.graphql

@@ -0,0 +1,11 @@
+# https://docs.github.com/en/graphql/reference/input-objects#createbranchprotectionruleinput
+mutation CreateBranchProtectionRule($branchName: String!, $repositoryId: ID!) {
+ updateBranchProtectionRule(
+ input: { pattern: $branchName, repositoryId: $repositoryId }
+ ) {
+ branchProtectionRule {
+ id
+ databaseId
+ }
+ }
+}

update-branch-protection-rule.graphql

@@ -0,0 +1,16 @@
+# https://docs.github.com/en/graphql/reference/input-objects#updatebranchprotectionruleinput
+# https://docs.github.com/en/graphql/reference/objects#branchprotectionrule
+mutation UpdateBranchProtectionRule($branchName: String!, $repositoryId: ID!) {
+ branchProtectionRule(
+ input: {
+ pattern: $branchName
+ repositoryId: $repositoryId
+ requiresApprovingReviews: true
+ }
+ ) {
+ branchProtectionRule {
+ id
+ databaseId
+ }
+ }
+}

update-branch-protection.json

@@ -0,0 +1,30 @@
+{
+ "required_status_checks": {
+ "strict": true,
+ "contexts": ["continuous-integration/travis-ci"]
+ },
+ "enforce_admins": true,
+ "required_pull_request_reviews": {
+ "dismissal_restrictions": {
+ "users": ["octocat"]
+ },
+ "dismiss_stale_reviews": true,
+ "require_code_owner_reviews": true,
+ "required_approving_review_count": 2,
+ "require_last_push_approval": true,
+ "bypass_pull_request_allowances": {
+ "users": ["octocat"]
+ }
+ },
+ "restrictions": {
+ "users": ["octocat"],
+ "apps": ["super-ci"]
+ },
+ "required_linear_history": true,
+ "allow_force_pushes": true,
+ "allow_deletions": true,
+ "block_creations": true,
+ "required_conversation_resolution": true,
+ "lock_branch": true,
+ "allow_fork_syncing": true
+}