Protect Bucket4j main branch (#293)

- Block Force pushes - Require a PR to merge to main
quarkiverse · Oct 16, 2024 · 7bda84e · 7bda84e
1 parent af318c4
commit 7bda84e
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 0 deletions.
diff --git a/terraform-scripts/main.tf b/terraform-scripts/main.tf
@@ -29,6 +29,10 @@ data "github_team" "quarkiverse_members" {
   slug = "quarkiverse-members"
 }
 
+data "github_app" "quarkiverse_ci" {
+  slug = "quarkiverse-ci"
+}
+
 locals {
   # Application IDs installed in the Quarkiverse organization
   # These applications are enabled on a per-repository basis

diff --git a/terraform-scripts/quarkus-bucket4j.tf b/terraform-scripts/quarkus-bucket4j.tf
@@ -3,6 +3,8 @@ resource "github_repository" "quarkus_bucket4j" {
   name                   = "quarkus-bucket4j"
   description            = "Java rate limiting library based on token-bucket algorithm Quarkus extension"
   homepage_url           = "https://bucket4j.com/"
+  allow_merge_commit     = false
+  allow_rebase_merge     = false
   allow_update_branch    = true
   archive_on_destroy     = true
   delete_branch_on_merge = true
@@ -35,3 +37,34 @@ resource "github_team_membership" "quarkus_bucket4j" {
   username = each.value
   role     = "maintainer"
 }
+
+# Protect main branch using a ruleset
+resource "github_repository_ruleset" "quarkus_bucket4j" {
+  name        = "main"
+  repository  = github_repository.quarkus_bucket4j.name
+  target      = "branch"
+  enforcement = "active"
+
+  conditions {
+    ref_name {
+      include = ["~DEFAULT_BRANCH"]
+      exclude = []
+    }
+  }
+
+  bypass_actors {
+    actor_id    = data.github_app.quarkiverse_ci.id
+    actor_type  = "Integration"
+    bypass_mode = "always"
+  }
+
+  rules {
+    # Prevent force push
+    non_fast_forward = true
+    # Require pull request reviews before merging
+    pull_request {
+
+    }
+  }
+}
+