Enforce review policy #9120

README.md

@@ -95,6 +95,7 @@ your repository.
 | github<br>topics `array` |-| GitHub topics. An array of strings.|
 | github<br>default_branch `string` |main| Default branch configuration in GitHub (default main). Override for older repositories that still use master branch. Consider updating your repository to include a main branch and remove this option.|
 | github<br>workflows<br>review `boolean` |true| The review workflow will trigger for pull requests and will check if the commit messages conform with conventional commits, and if cards are referenced as part of the commit message.|
+| github<br>enforce_review_policy `boolean` |false| Enables the following GitHub branch protection rules:<ul> <li>prevent force push to default branch</li> <li>prevent deletion of default branch</li> <li>prevent PR authors from merging their own changes</li> <li>prevent reviewers from merging PRs unless all conversations are resolved and the latest changes reviewed</li> </ul>|
 | github<br>features<br>dependabot_auto_merge `boolean` |true| Generate workflow that automatically merges Dependabot PRs for patch and minor version releases.<br> *Note that merging the PR won't automatically trigger other followup workflows.*|
 | github<br>features<br>downloads `boolean` |true| Enable repository downloads.|
 | github<br>features<br>squash_merge `boolean` |true| Allow squash-merging pull requests.|

docs/partials/readme.configuration.md

@@ -20,6 +20,7 @@
 | github<br>topics `array` |-| GitHub topics. An array of strings.|
 | github<br>default_branch `string` |main| Default branch configuration in GitHub (default main). Override for older repositories that still use master branch. Consider updating your repository to include a main branch and remove this option.|
 | github<br>workflows<br>review `boolean` |true| The review workflow will trigger for pull requests and will check if the commit messages conform with conventional commits, and if cards are referenced as part of the commit message.|
+| github<br>enforce_review_policy `boolean` |false| Enables the following GitHub branch protection rules:<ul> <li>prevent force push to default branch</li> <li>prevent deletion of default branch</li> <li>prevent PR authors from merging their own changes</li> <li>prevent reviewers from merging PRs unless all conversations are resolved and the latest changes reviewed</li> </ul>|
 | github<br>features<br>dependabot_auto_merge `boolean` |true| Generate workflow that automatically merges Dependabot PRs for patch and minor version releases.<br> *Note that merging the PR won't automatically trigger other followup workflows.*|
 | github<br>features<br>downloads `boolean` |true| Enable repository downloads.|
 | github<br>features<br>squash_merge `boolean` |true| Allow squash-merging pull requests.|

repo.schema.yaml

@@ -145,6 +145,26 @@ properties:
               The review workflow will trigger for pull requests and will check if the commit messages conform with
               conventional commits, and if cards are referenced as part of the commit message.
 
+      review_policy:
+        type: boolean
+        default: false
+        description: >
+          Enables the following GitHub branch protection rules:<ul>
+          <li>prevent force push to default branch</li>
+          <li>prevent deletion of default branch</li>
+          <li>prevent PR authors from merging their own changes</li>
+          <li>prevent reviewers from merging PRs unless all conversations are resolved and the latest
+          changes reviewed</li>
+          </ul>
+
+      default_branch_push_protection:
+        type: boolean
+        default: false
+        description: >
+          Requires `enforce_review_policy` to be also enabled.
+          Prevents contributors with write access from pushing commits to the `default_branch` of the repository.
+          **Enabling this will disable the automatic merging of Dependabot PRs. `dependabot_auto_merge`**
+
       features:
         type: object
         description: GitHub features

repo.yaml

@@ -5,6 +5,7 @@ codeowners:
 description: Ansible playbooks with templated configuration to apply to all LinkORB
   code repositories.
 github:
+  enforce_review_policy: false
   features:
     issues: true
     wiki: true
@@ -13,7 +14,6 @@ github:
   - automation
 license: mit
 license_year: 2024
-name: repo-ansible
 type: other
 version: v0.10.1
 visibility: public

tasks/generate-files.yaml

@@ -23,16 +23,27 @@
     path: "{{ repo_path }}/.github/workflows"
     state: directory
 
-- name: Generate repo-ansible workflow
-  ansible.builtin.copy:
-    src: ./templates/.github/workflows/repo-ansible.yaml
-    dest: "{{ repo_path }}/.github/workflows/repo-ansible.yaml"
+- when: repo.github.default_branch_push_protection
+  name: "disable workflows incompatible with {{ repo.github.default_branch }} branch push protection"
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - "{{ repo_path }}/.github/workflows/repo-ansible.yaml"
+    - "{{ repo_path }}/.github/workflows/dependabot-auto-merge.yaml"
+
+- when: not repo.github.default_branch_push_protection
+  block:
+  - name: Generate repo-ansible workflow
+    ansible.builtin.copy:
+      src: ./templates/.github/workflows/repo-ansible.yaml
+      dest: "{{ repo_path }}/.github/workflows/repo-ansible.yaml"
 
-- name: Generate dependabot automerge workflow
-  ansible.builtin.copy:
-    src: ./templates/.github/workflows/dependabot-auto-merge.yaml
-    dest: "{{ repo_path }}/.github/workflows/dependabot-auto-merge.yaml"
-  when: repo.github.features.dependabot_auto_merge
+  - name: Generate dependabot automerge workflow
+    ansible.builtin.copy:
+      src: ./templates/.github/workflows/dependabot-auto-merge.yaml
+      dest: "{{ repo_path }}/.github/workflows/dependabot-auto-merge.yaml"
+    when: repo.github.features.dependabot_auto_merge
 
 - name: Generate CODEOWNERS file
   template:

templates/.github/settings.yml.j2

@@ -79,6 +79,28 @@ labels:
     color: CC0000
     description: A repository chore.
 
+{% if repo.github.review_policy %}
+branches:
+  # https://docs.github.com/en/rest/branches/branch-protection?apiVersion=2022-11-28#update-branch-protection
+  - name: {{ repo.github.default_branch }}
+    protection:
+      required_status_checks: null
+      enforce_admins: true
+      required_pull_request_reviews:
+        dismiss_stale_reviews: true
+        required_approving_review_count: 1
+        require_last_push_approval: true
+        bypass_pull_request_allowances:
+          users: ["dependabot[bot]"]       # Dependabot exception for the automatic merging of patch/security fixes
+      restrictions:
+{% if repo.github.default_branch_push_protection %}
+        users: []
+        teams: []
+{% endif %}
+      allow_force_pushes: false
+      allow_deletions: false
+      required_conversation_resolution: true
+{% endif %}
 
 # Milestones: define milestones for Issues and Pull Requests
 {#
@@ -117,37 +139,4 @@ teams:
     permission: admin
   - name: docs
     permission: push
-
-branches:
-  - name: master
-    # https://docs.github.com/en/rest/reference/repos#update-branch-protection
-    # Branch Protection settings. Set to null to disable
-    protection:
-      # Required. Require at least one approving review on a pull request, before merging. Set to null to disable.
-      required_pull_request_reviews:
-        # The number of approvals required. (1-6)
-        required_approving_review_count: 1
-        # Dismiss approved reviews automatically when a new commit is pushed.
-        dismiss_stale_reviews: true
-        # Blocks merge until code owners have reviewed.
-        require_code_owner_reviews: true
-        # Specify which users and teams can dismiss pull request reviews. Pass an empty dismissal_restrictions object to disable. User and team dismissal_restrictions are only available for organization-owned repositories. Omit this parameter for personal repositories.
-        dismissal_restrictions:
-          users: []
-          teams: []
-      # Required. Require status checks to pass before merging. Set to null to disable
-      required_status_checks:
-        # Required. Require branches to be up to date before merging.
-        strict: true
-        # Required. The list of status checks to require in order to merge into this branch
-        contexts: []
-      # Required. Enforce all configured restrictions for administrators. Set to true to enforce required status checks for repository administrators. Set to null to disable.
-      enforce_admins: true
-      # Prevent merge commits from being pushed to matching branches
-      required_linear_history: true
-      # Required. Restrict who can push to this branch. Team and user restrictions are only available for organization-owned repositories. Set to null to disable.
-      restrictions:
-        apps: []
-        users: []
-        teams: []
 #}