From 7bda84e25495165446203d5381aacc730190f85d Mon Sep 17 00:00:00 2001 From: George Gastaldi Date: Wed, 16 Oct 2024 11:07:05 -0300 Subject: [PATCH] Protect Bucket4j main branch (#293) - Block Force pushes - Require a PR to merge to main --- terraform-scripts/main.tf | 4 ++++ terraform-scripts/quarkus-bucket4j.tf | 33 +++++++++++++++++++++++++++ 2 files changed, 37 insertions(+) diff --git a/terraform-scripts/main.tf b/terraform-scripts/main.tf index db4035a..ea78485 100644 --- a/terraform-scripts/main.tf +++ b/terraform-scripts/main.tf @@ -29,6 +29,10 @@ data "github_team" "quarkiverse_members" { slug = "quarkiverse-members" } +data "github_app" "quarkiverse_ci" { + slug = "quarkiverse-ci" +} + locals { # Application IDs installed in the Quarkiverse organization # These applications are enabled on a per-repository basis diff --git a/terraform-scripts/quarkus-bucket4j.tf b/terraform-scripts/quarkus-bucket4j.tf index c572689..1753c60 100644 --- a/terraform-scripts/quarkus-bucket4j.tf +++ b/terraform-scripts/quarkus-bucket4j.tf @@ -3,6 +3,8 @@ resource "github_repository" "quarkus_bucket4j" { name = "quarkus-bucket4j" description = "Java rate limiting library based on token-bucket algorithm Quarkus extension" homepage_url = "https://bucket4j.com/" + allow_merge_commit = false + allow_rebase_merge = false allow_update_branch = true archive_on_destroy = true delete_branch_on_merge = true @@ -35,3 +37,34 @@ resource "github_team_membership" "quarkus_bucket4j" { username = each.value role = "maintainer" } + +# Protect main branch using a ruleset +resource "github_repository_ruleset" "quarkus_bucket4j" { + name = "main" + repository = github_repository.quarkus_bucket4j.name + target = "branch" + enforcement = "active" + + conditions { + ref_name { + include = ["~DEFAULT_BRANCH"] + exclude = [] + } + } + + bypass_actors { + actor_id = data.github_app.quarkiverse_ci.id + actor_type = "Integration" + bypass_mode = "always" + } + + rules { + # Prevent force push + non_fast_forward = true + # Require pull request reviews before merging + pull_request { + + } + } +} +