GitHub has recently added a new feature called rulesets which among other things can be used to prevent people from creating branches in the repository. This is something we’ve wanted to do ever since we moved to GitHub in order to prevent people from accidentally creating new branches (which happens quite often).
I’m still not 100% clear on how the rule definitions work, but I think this rule will prevent everyone from creating new branches. The rule is currently disabled, so it won’t affect the main repository, but please review it and let me know if I need to make any changes. If this is confirmed to work then, I’ll turn it on in a few days.
I realize that this rule will prevent creation of release branches, but I’ll work on that issue next. I really want to get something in place quickly to prevent accidental branch creation since this affects everyone.
Playing around with the rule creation in one of my own repos, it seems like you can specify branch names to include/exclude using a regex, so making sure that release branches can be created should be as simple as adding a regex to make sure they aren’t hit by the rule. If the branches are only getting created by one person (or group), they could also just be given the bypass permission.
Otherwise, this looks great! It’s a pretty easy mistake to make when moving stuff around between multiple remotes.
@boomanaiden154-1 I was thinking we would have a “deny all” rule for every branch and then I would have a second rule that allows only certain users to create release/* branches. I’m not sure if you can layer the rules this way, though.
You can add teams (i.e., the Release Managers team) to the bypass list when creating the rule which will exempt them from the rule.
I think you should be able to restrict that team to only being able to create release/* branches too by creating separate rules (i.e., one blanket restriction not including release branches, another one specifically for release branches exempting a specific Github team). Not totally sure if that would work though.
The branch protections (restrict creations and deletions of branches and prevent force pushes) all make a lot of sense to me. As others have said, mistakes happen, so it’s great to have tooling to help us prevent this.
OK, I may have gotten a little carried away, but I think I’m done now. In total, I’ve defined 7 rules. My intention is to disable creation and deletion of all branches, but allow Release Managers to create (but not delete) release/*.x branches. Tag creation and deletion is also enabled except for Release Managers, who are allowed to create (but not delete) llvmorg-* tags.
I also added a rule to prevent anyone from updating the old release branches.
Looks good. Minor nit (and I might be missing something here), but it seems like there is some duplication between the Release Tag Rules/Release Manager Tag Bypass and the Release Manager Branch Bypass/Release Branch Rules sets.
The Release Tag Rules/Release Manager Tag Bypass both contain the following the Block force pushes protection with the Release Manager Tag Bypass rule also having a require linear history protection. I believe any rule with a bypass list allows people on the bypass list to bypass all of the branch protections specified in the rule, so maybe in the Release Manager rules (and it doesn’t seem like letting release managers get around linear history/non-force pushes is what was desired), we should only have the creation restriction protection?
There seems to be some similar things in the tag rules.