Add protected branches configuration for main branch by dave2wave · Pull Request #642 · apache/infrastructure-actions

dave2wave · 2026-03-31T15:20:28Z

As @potiuk suggested in #638

Signed-off-by: Dave Fisher <dave2wave@comcast.net>

potiuk

Would love others to agree.

raboof

LGTM but would be good to have an infra confirmation as well

.asf.yaml

potiuk · 2026-04-01T19:35:29Z

i think we need to add some options, otherwise default doesnt enforce anything

Agree -> required_approving_review_count = 1 likely.

dave2wave · 2026-04-01T20:55:51Z

Pulsar has some interesting notes about CI workflows these go with their .asf.yaml

Add required status checks and pull request review settings for the main branch. Signed-off-by: Dave Fisher <dave2wave@comcast.net>

kevinjqliu

not sure if we want to set require_code_owner_reviews, everything else looks good to me

.asf.yaml

potiuk · 2026-04-02T12:34:23Z

We do not have CODEOWNERS here ? Do we ? So I guess require_code_owner_reviews: true is not a good idea?

Signed-off-by: Dave Fisher <dave2wave@comcast.net>

raboof

I'm +1 on the concepts and on trying this out, though we should be ready to revert if it turns out it prevents the asfgit automated commits on this repo.

kevinjqliu

LGTM!

Lets track to see if asfgit can still push to main after this is merged

potiuk · 2026-04-04T17:24:38Z

LGTM!

Lets track to see if asfgit can still push to main after this is merged

Ah... It won't be able to - when branches are protected, bots cannot push to - it - that is a major blocker.

potiuk · 2026-04-04T17:25:05Z

The only solution for that (and possibly a good one) would be that the fix creates a PR that we have to merge manually

kevinjqliu · 2026-04-04T18:08:34Z

Looks like it depends on what asfgit's role/permissions are in this repo.

By default, the restrictions of a branch protection rule don't apply to people with admin permissions to the repository or custom roles with the "bypass branch protections" permission. You can optionally apply the restrictions to administrators and roles with the "bypass branch protections" permission, too. For more information, see Managing custom repository roles for an organization.

https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#about-branch-protection-rules

Could you run these to see if asfgit is an admin? I dont have permissions to run it:

gh api repos/apache/infrastructure-actions/collaborators/asfgit/permission
gh api orgs/apache/memberships/asfgit

Another possible solution is to allowlist asfgit explicitly with bypass_pull_request_allowances:
https://docs.github.com/en/rest/branches/branch-protection?apiVersion=2026-03-10#update-pull-request-review-protection

protected_branches:
  main:
    required_status_checks:
      strict: false
    required_pull_request_reviews:
      dismiss_stale_reviews: false
      required_approving_review_count: 1
      bypass_pull_request_allowances:
        users:
          - asfgit

raboof · 2026-04-04T18:34:13Z

The only solution for that (and possibly a good one) would be that the fix creates a PR that we have to merge manually

I think that would create too much work tbh

gh api repos/apache/infrastructure-actions/collaborators/asfgit/permission

I see this token apparently is indeed admin. perhaps we should consider switching to a non-admin token.

bypass_pull_request_allowances

That seems like a much nicer solution

potiuk · 2026-04-04T18:40:26Z

That seems like a much nicer solution

Indeed - if it will work. I remember a change in GitHub that blanket-disabled bots from being able to bypass the "pull request approval" limitation of protected branches. but maybe this is a way to bypass it.

dave2wave · 2026-04-04T19:24:10Z

I'll add this. Let's wait until Monday to merge and test,

      bypass_pull_request_allowances:
        users:
          - asfgit

Signed-off-by: Dave Fisher <dave2wave@comcast.net>

This reverts commit 1faf75d.

dave2wave · 2026-04-04T19:59:00Z

Another possible solution is to allowlist asfgit explicitly with bypass_pull_request_allowances:
https://docs.github.com/en/rest/branches/branch-protection?apiVersion=2026-03-10#update-pull-request-review-protection

This fails because this feature is in the new apiVersion=2026-03-10 and apache/infrastructure-asfyaml is programmed for 2022 apiVersion.

raboof · 2026-04-05T10:28:36Z

Another possible solution is to allowlist asfgit explicitly with bypass_pull_request_allowances:
https://docs.github.com/en/rest/branches/branch-protection?apiVersion=2026-03-10#update-pull-request-review-protection

This fails because this feature is in the new apiVersion=2026-03-10 and apache/infrastructure-asfyaml is programmed for 2022 apiVersion.

filed apache/infrastructure-asfyaml#92

... but it's not a blocker for this PR since asfgit is currently still an admin token, if I understand correctly, right?

Add protected branches configuration for main branch

c312b99

Signed-off-by: Dave Fisher <dave2wave@comcast.net>

dave2wave marked this pull request as ready for review March 31, 2026 15:20

dave2wave requested review from dfoulks1, potiuk and raboof March 31, 2026 15:21

potiuk approved these changes Mar 31, 2026

View reviewed changes

raboof approved these changes Apr 1, 2026

View reviewed changes

raboof mentioned this pull request Apr 1, 2026

Add previous pypa/publish version #638

Merged

kevinjqliu reviewed Apr 1, 2026

View reviewed changes

.asf.yaml Outdated Show resolved Hide resolved

kevinjqliu suggested changes Apr 1, 2026

View reviewed changes

.asf.yaml Outdated Show resolved Hide resolved

Update main branch settings in .asf.yaml

de10bdc

Add required status checks and pull request review settings for the main branch. Signed-off-by: Dave Fisher <dave2wave@comcast.net>

dave2wave requested review from kevinjqliu, potiuk and raboof April 1, 2026 22:51

kevinjqliu reviewed Apr 2, 2026

View reviewed changes

.asf.yaml Show resolved Hide resolved

.asf.yaml Outdated Show resolved Hide resolved

.asf.yaml Show resolved Hide resolved

.asf.yaml Show resolved Hide resolved

Remove requirement for code owner reviews

5b109c3

Signed-off-by: Dave Fisher <dave2wave@comcast.net>

dave2wave requested a review from kevinjqliu April 2, 2026 13:09

raboof approved these changes Apr 2, 2026

View reviewed changes

kevinjqliu approved these changes Apr 2, 2026

View reviewed changes

dave2wave added 2 commits April 4, 2026 12:25

Add bypass_pull_request_allowances for asfgit

1faf75d

Signed-off-by: Dave Fisher <dave2wave@comcast.net>

Revert "Add bypass_pull_request_allowances for asfgit"

dfc02a5

This reverts commit 1faf75d.

dave2wave added 2 commits April 4, 2026 12:47

Try bypass_pull_request_allowances again

a4315b3

Comment out the bypass.

db0765d

raboof mentioned this pull request Apr 5, 2026

support bypass_pull_request_allowances apache/infrastructure-asfyaml#92

Open

Conversation

dave2wave commented Mar 31, 2026

Uh oh!

potiuk left a comment

Choose a reason for hiding this comment

Uh oh!

raboof left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

potiuk commented Apr 1, 2026

Uh oh!

dave2wave commented Apr 1, 2026

Uh oh!

kevinjqliu left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

potiuk commented Apr 2, 2026

Uh oh!

raboof left a comment

Choose a reason for hiding this comment

Uh oh!

kevinjqliu left a comment

Choose a reason for hiding this comment

Uh oh!

potiuk commented Apr 4, 2026

Uh oh!

potiuk commented Apr 4, 2026

Uh oh!

kevinjqliu commented Apr 4, 2026

Uh oh!

raboof commented Apr 4, 2026

Uh oh!

potiuk commented Apr 4, 2026

Uh oh!

dave2wave commented Apr 4, 2026

Uh oh!

dave2wave commented Apr 4, 2026

Uh oh!

raboof commented Apr 5, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants