Nixpkgs (better) branch protection rules?

[primeos]

We currently have a lot of branches (86 to be precise, see git ls-remote --heads https://github.com/NixOS/nixpkgs.git) and AFAIK we neither have a good naming scheme nor enough documentation on some of them. Events in the past also showed that our branch protection rules are lacking (force-pushes to production branches, accidentally created branches, etc.).

Currently we e.g. have the following "interesting" branches:

Some of them should be for custom Hydra jobsets (but not all of them might still be in use) while others seem to be created on accident:

• 0.5-stable
• SuperSandro2000-patch-1
• ci-no-channel
• cytoscape-3.8.0
• darwin-sandbox
• docs-all-packages
• fetchgit-sri
• fetchurl-user-agent
• fix-predictable-ifnames-in-initrd-19.09
• freebsd-losser
• ghc-dwarf
• glibc-2.33
• gnome-20.03
• gnome-40
• gnu-kfreebsd
• grsec-stdenv
• haskell-updates
• hydra
• kevincox-openarena-server
• kevincox-phodav-udev
• kmod-lib-modules
• kube-update
• libgcrypt-cross
• logistics
• mkMap
• mkderiv-env
• nix-upgrade
• nixpart
• pr-91557
• python-unstable
• python3
• release-18.09-firefox64
• reproducibility
• revert-114425-auto-update/eclib
• revert-116335-move-aliases.nix
• staging-patchelf
• staging.patchShebangs
• structured-attrs
• syscall-tracing
• systemd-lib-reintroduce
• update-groff
• wip/splice-more
• x86_64-darwin

IMO it would be a good idea to use branch protection rules with wildcards combined with a naming scheme (the naming scheme would be important for the wildcard rules but would also help understanding the purpose of a branch and identify "invalid" branches). Unfortunately the "protected branches" feature from GitHub is pretty limited (https://docs.github.com/en/github/administering-a-repository/about-protected-branches). E.g.:

• "Protected branch rules that mention a special character, such as *, ?, or ], are applied in the order they were created, so older rules with these characters have a higher priority." (which is especially unfortunate as they cannot be reordered...)

I haven't thought much about this yet but it should be possible to do something like this (likely still incomplete):

• master, release-*, and staging-*: Allow @NixOS/nixpkgs-committers to push but no force pushes and no deletions (with "Require status checks to pass before merging" it should also be possible to prevent direct pushing but allow merging PRs)
• nixos-*: Only give @NixOS/channel-updaters access, no force pushes, and no deletions
• hydra-jobset-*: Create a @NixOS/ team for people who need to push to these branches and allow force pushes as well as deletions.
• *: Use something super strict as default for all other branches (no push access (e.g. assigning an empty team or org admins only), no force pushes, no deletions, etc.)
  • This rule would have to be recreated every time we add a new one to have the lowest priority (which is a bit unfortunate as it is the most important rule and recreating it could be error prone when not careful)

Ideally the branch protection rules would also be documented somewhere as only org admins can see https://github.com/NixOS/nixpkgs/settings/branches.

Known limitation:

• Cannot protect tags: Locking/auditing for tags isaacs/github#1091
• "By default, you cannot delete a protected branch. When you enable deletion of a protected branch, anyone with at least write permissions to the repository can delete the branch." - But this would luckily only affect hydra-jobset-* so far and from looking at the rest of the documentation the might've only forgotten to mention that "Restrict who can push to matching branches" also applies here because it should at least apply to "Allow force pushes" as well.

Other relevant issues/PRs:

• enable automerge in GitHub settings? #113354: Auto-merging would require enabling some essential status checks (enable automerge in GitHub settings? #113354 (comment))
• nixos-20.09 got force push? #109384 and ci: add no-channel check #109543
  • This is also an example for an accidental push to a nixos-* branch which can unfortunately happen super easily
  • Another example (unfortunately lost in the IRC logs): IIRC I did successfully force push to master years ago (an intentional test that was scripted to avoid damage) - I reported it on IRC and it shouldn't be possible anymore but since then I was too scared to test it again (I expected it wouldn't work when I first tried it...).
• Review security of nixpkgs commit process #20836: Stricter branch protection rules should improve this as well
• Maintainers: please don't push directly to master/release branches #118661

Examples of branches that might've been created on accident (this list is likely incomplete and I've redacted the names as the purpose isn't to blame anyone)

• revert-30286-patch-2 at NixOS/nixpkgs 2017-10-13T08
• vscode_1_17_2 at NixOS/nixpkgs 2017-10-18T15
• mariadb-10.2 at NixOS/nixpkgs 2017-10-18T15
• osx_private_sdk_remove_runtime at NixOS/nixpkgs 2017-10-30T12
• darwin-parallel at NixOS/nixpkgs 2017-10-30T23
• revert-31354-mathcomp.1.6.4 at NixOS/nixpkgs 2017-11-07T17
• revert-28480-qt5 at NixOS/nixpkgs 2017-11-11T16
• hydra at NixOS/nixpkgs 2017-11-12T16
• lib+paths at NixOS/nixpkgs 2017-11-15T21
• doc-for-patch-31684 at NixOS/nixpkgs 2017-11-17T16
• pam-ssh-security at NixOS/nixpkgs 2017-11-29T19
• copumpkin-aws-ntp at NixOS/nixpkgs 2017-11-30T03
• release-17.09 at NixOS/nixpkgs 2017-12-14T10
• yegortimoshenko-patch-1 at NixOS/nixpkgs 2017-12-19T22
• revert-32424-nixos/related-packages at NixOS/nixpkgs 2017-12-23T12
• revert-33006-revert-32424-nixos/related-packages at NixOS/nixpkgs 2017-12-23T12
• unstable-aarch64 at NixOS/nixpkgs 2018-01-11T14
• python-unstable at NixOS/nixpkgs 2018-01-20T14
• revert-34178-fix/clang-python3 at NixOS/nixpkgs 2018-01-23T15
• ptyprocess at NixOS/nixpkgs 2018-02-01T09
• poppler-0.62.0 at NixOS/nixpkgs 2018-02-02T23
• acme_systemd_extension at NixOS/nixpkgs 2018-02-04T14
• nix-2.0 at NixOS/nixpkgs 2018-02-05T18
• systemd-237 at NixOS/nixpkgs 2018-02-11T22
• python-unstable at NixOS/nixpkgs 2018-02-17T13
• glibc-2.27 at NixOS/nixpkgs 2018-02-18T21
• yegortimoshenko-patch-1 at NixOS/nixpkgs 2018-02-19T16
• sound-disabled-by-default at NixOS/nixpkgs 2018-02-22T19
• nasm-minor-update at NixOS/nixpkgs 2018-02-26T15
• python-unstable at NixOS/nixpkgs 2018-02-27T16
• revert-36278-revert-36119-maintainer-reformat at NixOS/nixpkgs 2018-03-04T03
• release-18.03 at NixOS/nixpkgs 2018-03-05T18
• revert-38354-update/git-2.17.0 at NixOS/nixpkgs 2018-04-03T12
• gnome-3.28 at NixOS/nixpkgs 2018-03-13T02
• openssh-drop-dsa at NixOS/nixpkgs 2018-03-13T21
• cpan-update at NixOS/nixpkgs 2018-03-15T09
• revert-31798-fixcamlmod at NixOS/nixpkgs 2018-03-22T16
• generators-codeowners at NixOS/nixpkgs 2018-03-23T10
• pr/37692 at NixOS/nixpkgs 2018-03-23T13
• yegortimoshenko-patch-1 at NixOS/nixpkgs 2018-03-24T09
• acme-fix at NixOS/nixpkgs 2018-03-24T16
• staging-18.03 at NixOS/nixpkgs 2018-03-29T16
• remove-dwb at NixOS/nixpkgs 2018-03-30T17
• pgsql-fixes at NixOS/nixpkgs 2018-04-09T16
• revert-38753-radare2 in NixOS/nixpkgs 2018-04-12T21
• yegortimoshenko-patch-2 in NixOS/nixpkgs 2018-04-14T17
• no-lib in NixOS/nixpkgs 2018-04-18T19
• zramSwap-one-dev in NixOS/nixpkgs 2018-04-19T14
• default-overrides in NixOS/nixpkgs 2018-04-25T21
• revert-39026-gdk-pixbuf-2.26.12 in NixOS/nixpkgs 2018-04-21T22
• ryantrinkle/ledgerblue-0.1.17 in NixOS/nixpkgs 2018-04-21T22
• revert-32049-tbs in NixOS/nixpkgs 2018-04-22T20
• ryantrinkle/ledgerblue-0.1.17 in NixOS/nixpkgs 2018-04-23T23
• update-util-linux in NixOS/nixpkgs 2018-05-01T19
• yegortimoshenko-patch-3 in NixOS/nixpkgs 2018-05-05T21
• yegortimoshenko-patch-4 in NixOS/nixpkgs 2018-05-11T10
• revert-41123-auto-update/bind in NixOS/nixpkgs 2018-05-27T09
• staging-stabilization in NixOS/nixpkgs 2018-05-27T14
• groovy-update in NixOS/nixpkgs 2018-05-30T18
• revert-37028-auto-update/itstool in NixOS/nixpkgs 2018-05-31T22
• matthewbauercross in NixOS/nixpkgs 2018-06-01T19
• matthewbauercros in NixOS/nixpkgs 2018-06-01T19
• lib-fix-recursive-update-until in NixOS/nixpkgs 2018-06-06T20
• maser in NixOS/nixpkgs 2018-06-07T19
• ghc-gmp in NixOS/nixpkgs 2018-06-11T19
• yegortimoshenko-patch-4 in NixOS/nixpkgs 2018-06-17T17
• yegortimoshenko-patch-6 in NixOS/nixpkgs 2018-06-17T20
• yegortimoshenko-patch-5 in NixOS/nixpkgs 2018-06-17T20
• yegortimoshenko-patch-7 in NixOS/nixpkgs 2018-06-18T12
• revert-42349-fix-hoogle-null-deps in NixOS/nixpkgs 2018-06-22T12
• fix-maintainer-name-z77z in NixOS/nixpkgs 2018-07-05T23
• staging-next in NixOS/nixpkgs 2018-07-14T16
• haskell-updates in NixOS/nixpkgs 2018-07-22T18
• opencollada-license in NixOS/nixpkgs 2018-08-02T10
• revert-44398-blueman-python3 in NixOS/nixpkgs 2018-08-05T23
• remove-jumanji in NixOS/nixpkgs 2018-08-06T10
• siege-unix in NixOS/nixpkgs 2018-08-13T14
• update-intel-gpu-tools in NixOS/nixpkgs 2018-08-14T20
• pgsql-fixes in NixOS/nixpkgs 2018-08-15T04
• openjdk-cross in NixOS/nixpkgs 2018-08-20T08
• postgresql-cross in NixOS/nixpkgs 2018-08-20T08
• gnome-3.30 in NixOS/nixpkgs 2018-09-02T15
• staging-18.09 in NixOS/nixpkgs 2018-09-03T06
• zimbatm-patch-1 in NixOS/nixpkgs 2018-09-09T15
• pr/46362 in NixOS/nixpkgs 2018-09-17T18
• nixos-tests-debug in NixOS/nixpkgs 2018-09-27T10
• tensorflow-1.11 in NixOS/nixpkgs 2018-09-28T14
• pull/47691/head in NixOS/nixpkgs 2018-10-13T15
• revert-48626-bump-autobahn-txaio in NixOS/nixpkgs 2018-10-28T13
• package/systemd-v239.20181031 in NixOS/nixpkgs 2018-10-31T15
• revert-49715-master in NixOS/nixpkgs 2018-11-04T17
• yegortimoshenko-patch-1 in NixOS/nixpkgs 2018-12-07T19
• python37 in NixOS/nixpkgs 2018-12-08T12
• nixpkgs/metaocaml-tweaks in NixOS/nixpkgs 2018-12-14T15
• revert-52502-brlaser-fix-out in NixOS/nixpkgs 2018-12-19T09
• revert-52614-collectd in NixOS/nixpkgs 2018-12-21T12
• revert-50521-qt-cf-private in NixOS/nixpkgs 2018-12-21T13
• pypy3-simplification in NixOS/nixpkgs 2018-12-21T16
• gitlab-11.6.0 in NixOS/nixpkgs 2018-12-25T14
• revert-48844-svc/ddclient in NixOS/nixpkgs 2018-12-29T15
• gcc-8 in NixOS/nixpkgs 2019-01-10T14
• init-gsconnect in NixOS/nixpkgs 2019-01-11T13
• yegortimoshenko-patch-1 in NixOS/nixpkgs 2019-01-11T17
• pr/qt5-darwin-fix in NixOS/nixpkgs 2019-01-12T14
• 18.09/openssh in NixOS/nixpkgs 2019-01-13T21
• raspberry-cross-fixes in NixOS/nixpkgs 2019-01-18T20
• grahamc-patch-1 in NixOS/nixpkgs 2019-01-30T19
• update-calibre in NixOS/nixpkgs 2019-02-01T08
• update-gtk-doc in NixOS/nixpkgs 2019-02-01T15
• update-rrdtool in NixOS/nixpkgs 2019-02-06T19
• update-dmenu in NixOS/nixpkgs 2019-02-06T18
• update-dwm in NixOS/nixpkgs 2019-02-06T18
• update-groovy in NixOS/nixpkgs 2019-02-06T20
• drop-intel-video-driver in NixOS/nixpkgs 2019-02-11T21
• fix-perl-shebang in NixOS/nixpkgs 2019-02-14T22
• revert-54900-haskell-shellfor-null-src in NixOS/nixpkgs 2019-02-15T11
• update-parallel in NixOS/nixpkgs 2019-02-24T08
• staging-19.03 in NixOS/nixpkgs 2019-02-27T09
• mas in NixOS/nixpkgs 2019-03-01T09
• fix-xfstests in NixOS/nixpkgs 2019-03-09T19
• fix-ima-evm-utils-build in NixOS/nixpkgs 2019-03-10T20
• pull/56990/head in NixOS/nixpkgs 2019-03-14T17
• revert-55192-master in NixOS/nixpkgs 2019-03-15T13
• update-homebank in NixOS/nixpkgs 2019-03-16T13
• pr/57326 in NixOS/nixpkgs 2019-03-28T19
• revert-58308-auto-update/libtermkey in NixOS/nixpkgs 2019-04-03T14
• pull/58858/head in NixOS/nixpkgs 2019-04-08T19
• revert-58871-auto-update/resilio-sync in NixOS/nixpkgs 2019-04-09T21
• update-calibre in NixOS/nixpkgs 2019-04-19T06
• revert-59626-auto-update/osinfo-db in NixOS/nixpkgs 2019-04-21T13
• fix-classy-prelude-yesod-and-esqueleto in NixOS/nixpkgs 2019-05-02T16
• kevincox-hash-fix in NixOS/nixpkgs 2019-05-03T20
• revert-62691-update/spidermonkey_60.7.0 in NixOS/nixpkgs 2019-06-05T13
• nodejs-v10-default in NixOS/nixpkgs 2019-06-14T09
• gcc-8 in NixOS/nixpkgs 2019-06-14T16
• nixpkgs-master in NixOS/nixpkgs 2019-06-18T20
• nixpkgs-master in NixOS/nixpkgs 2019-06-18T20
• node10-small in NixOS/nixpkgs 2019-06-21T08
• ast in NixOS/nixpkgs 2019-06-21T15
• backport-systemd-boot-configurationLimit in NixOS/nixpkgs 2019-06-25T09
• binaryCaches-default in NixOS/nixpkgs 2019-06-26T12
• noxlibs-nognome in NixOS/nixpkgs 2019-06-28T13
• nixpkgs-master in NixOS/nixpkgs 2019-07-03T16
• new-issue-template in NixOS/nixpkgs 2019-07-17T09
• openssh-known-hosts-ca in NixOS/nixpkgs 2019-07-21T14
• revert-65602-spotify/update/1.1.10.546 in NixOS/nixpkgs 2019-08-03T09
• pgcli-2.1.1 in NixOS/nixpkgs 2019-08-05T08
• pacien-postgresql-wal-receiver in NixOS/nixpkgs 2019-08-07T13
• r-updates in NixOS/nixpkgs 2019-08-11T18
• nixpkgs/liburing-release-tweak in NixOS/nixpkgs 2019-08-20T14
• cargofetch-lock in NixOS/nixpkgs 2019-08-24T12
• busybox-static in NixOS/nixpkgs 2019-08-28T18
• nixpkgs-master in NixOS/nixpkgs 2019-09-01T11
• nixpkgs-master in NixOS/nixpkgs 2019-09-01T11
• cve in NixOS/nixpkgs 2019-09-06T13
• staging-19.09 in NixOS/nixpkgs 2019-09-09T15
• release-19.09 in NixOS/nixpkgs 2019-09-09T14
• gnome-3.34 in NixOS/nixpkgs 2019-09-12T19
• mine-2019-09-18 in NixOS/nixpkgs 2019-09-18T15
• srt-1.4.0 in NixOS/nixpkgs 2019-09-21T17
• consul-1.6.1 in NixOS/nixpkgs 2019-09-21T17
• fix-predictable-ifnames-in-initrd in NixOS/nixpkgs 2019-09-22T15
• aws-sdk-cpp-fix-musl in NixOS/nixpkgs 2019-09-22T21
• revert-69398-fancontrol in NixOS/nixpkgs 2019-09-25T16
• nix-static in NixOS/nixpkgs 2019-09-29T14
• hol_light-2019-10-06 in NixOS/nixpkgs 2019-10-08T21
• elm-19.1 in NixOS/nixpkgs 2019-10-21T14
• gazally-yggdrasil in NixOS/nixpkgs 2019-10-26T11
• structured-attrs in NixOS/nixpkgs 2019-10-26T13
• revert-60971-auto-update/frostwire in NixOS/nixpkgs 2019-11-02T10
• bash-no-undef-vars in NixOS/nixpkgs 2019-11-08T20
• libgcrypt-cross in NixOS/nixpkgs 2019-11-13T00
• revert-74549-auto-update/python3.8-google-resumable-media in NixOS/nixpkgs 2019-11-29T21
• t/mailman in NixOS/nixpkgs 2019-12-16T18
• nixos-option-description-swap-file in NixOS/nixpkgs 2019-12-28T14
• revert-76842-add-doc-to-ghc-wrapper in NixOS/nixpkgs 2020-01-10T14
• nodejs-stable-12.14.1 in NixOS/nixpkgs 2020-02-02T17
• revert-78824-auto-update/rsyslog in NixOS/nixpkgs 2020-02-06T20
• glibc231 in NixOS/nixpkgs 2020-02-06T20
• fix-predictable-ifnames-in-initrd-19.09 in NixOS/nixpkgs 2020-02-08T15
• staging-20.03 in NixOS/nixpkgs 2020-02-10T21
• nixos-20.03 in NixOS/nixpkgs 2020-02-20T11
• u/teensy in NixOS/nixpkgs 2020-03-02T09
• gnome-3.36 in NixOS/nixpkgs 2020-03-03T15
• pull/81785/head in NixOS/nixpkgs 2020-03-07T12
• arm-bootstrap in NixOS/nixpkgs 2020-03-08T12
• revert-82252-radius-http2 in NixOS/nixpkgs 2020-03-10T15
• revert-81950-auto-update/pari in NixOS/nixpkgs 2020-03-11T10
• yggdrasil in NixOS/nixpkgs 2020-03-12T16
• revert-84025-auto-update/tessera in NixOS/nixpkgs 2020-04-03T14
• acpi-call in NixOS/nixpkgs 2020-04-07T12
• zfs in NixOS/nixpkgs 2020-04-07T12
• sysdig in NixOS/nixpkgs 2020-04-07T12
• revert-84876-auto-update/ocaml4.09.1-ctypes in NixOS/nixpkgs 2020-04-12T13
• treewide-broken-20.03 in NixOS/nixpkgs 2020-04-15T19
• fix-srconly in NixOS/nixpkgs 2020-04-21T13
• revert-88474-vmware-image in NixOS/nixpkgs 2020-05-21T15
• staging-patchelf in NixOS/nixpkgs 2020-06-09T14
• fetchurl-no-hash in NixOS/nixpkgs 2020-06-09T15
• revert-91160-nixos-hardware-merge in NixOS/nixpkgs 2020-06-20T12
• u/kde in NixOS/nixpkgs 2020-06-26T08
• init/batsignal in NixOS/nixpkgs 2020-06-28T14
• gnome-20.03 in NixOS/nixpkgs 2020-07-14T12
• gnome-stable in NixOS/nixpkgs 2020-07-14T12
• gnome-20.03 in NixOS/nixpkgs 2020-07-16T20
• revert-89017-package-grouping in NixOS/nixpkgs 2020-07-18T07
• ios-deploy-update in NixOS/nixpkgs 2020-07-21T15
• f/do in NixOS/nixpkgs 2020-07-23T11
• mprime in NixOS/nixpkgs 2020-07-27T09
• glibc232 in NixOS/nixpkgs 2020-08-10T14
• f/emacs in NixOS/nixpkgs 2020-08-16T15
• systemd-246 in NixOS/nixpkgs 2020-08-24T10
• nixos-20.09 in NixOS/nixpkgs 2020-09-09T07
• kevincox-chrony-state in NixOS/nixpkgs 2020-09-09T19
• pull/97612/head in NixOS/nixpkgs 2020-09-10T18
• revert-79578-git-zsh-completion in NixOS/nixpkgs 2020-09-14T22
• cytoscape-3.8.0 in NixOS/nixpkgs 2020-09-25T09
• kevincox-b2 in NixOS/nixpkgs 2020-09-25T20
• worldofpeace-patch-1 in NixOS/nixpkgs 2020-09-28T10
• nixpkgs-20.09-darwin in NixOS/nixpkgs 2020-09-30T11
• systemd-lib-reintroduce in NixOS/nixpkgs 2020-10-02T12
• gstreamer-1.18.0-srt-packetfilter in NixOS/nixpkgs 2020-10-05T15
• avahi-networkd-test in NixOS/nixpkgs 2020-10-11T18
• python-unstable in NixOS/nixpkgs 2020-10-25T09
• gnome-3.38 in NixOS/nixpkgs 2020-10-31T09
• firefox-82.02 in NixOS/nixpkgs 2020-10-31T19
• revert-96767 in NixOS/nixpkgs 2020-11-11T17
• remove-bluespec in NixOS/nixpkgs 2020-11-11T19
• maintainers-Br1ght0ne-rename in NixOS/nixpkgs 2020-11-17T11
• nixos-cross-wayland in NixOS/nixpkgs 2020-11-27T09
• wip/splice-more in NixOS/nixpkgs 2020-11-29T15
• more-rustc-musl in NixOS/nixpkgs 2020-11-29T17
• fwupd-1.5.3 in NixOS/nixpkgs 2020-12-08T14
• stalebot in NixOS/nixpkgs 2020-12-09T20
• revert-97023-module-assertions in NixOS/nixpkgs 2020-12-18T15
• zsh-powerlevel10k in NixOS/nixpkgs 2020-12-18T17
• yugabyte in NixOS/nixpkgs 2021-01-30T18
• hwi in NixOS/nixpkgs 2021-03-27T18
• aacgain in NixOS/nixpkgs 2021-03-29T18
• SuperSandro2000-patch-1 in NixOS/nixpkgs 2021-04-07T13
• github-runner_eval_fix in NixOS/nixpkgs 2021-04-10T11
• mas in NixOS/nixpkgs 2021-04-23T20
• lukegb-tela-icon-theme in NixOS/nixpkgs 2021-05-02T14

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/branch-protection-policies/6410/34

[anund]

#249117 appears to have changed this somewhat. Possibly this issue can close.

[infinisil]

Also see the recently introduced GitHub Rulesets, which is a better version of the previous branch protection rules. In particular it allows anybody to view them, and they don't have any quirks about when they apply.