polyline-algorithm-csharp/.github/actions/github/branch-protection/lock/action.yml at 8a67c6f7c745f148f98c12e5b3fbe2254a224ee0 · petesramek/polyline-algorithm-csharp · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
name: 'Lock branch'
author: 'Pete Sramek'
description: 'Apply branch protection to prevent direct pushes. Requires PRs with configurable approval count; admins can optionally bypass all restrictions.'
inputs:
  branch:
    description: 'Branch name to lock.'
    required: true
  token:
    description: 'GitHub token with administration:write (repo admin) permission. Use a PAT; GITHUB_TOKEN cannot call the branch protection API.'
    required: true
  lock-branch:
    description: 'When true, sets lock_branch to prevent even PR merges (use during automated operations). When false (default), only direct pushes are blocked; PRs can still be merged.'
    required: false
    default: 'false'
  required-approving-review-count:
    description: 'Number of approving reviews required before a PR can be merged. Set to 0 to require PRs without requiring approvals.'
    required: false
    default: '1'
  dismiss-stale-reviews:
    description: 'When true, approved reviews are dismissed when new commits are pushed to the branch.'
    required: false
    default: 'true'
  bypass-admins:
    description: 'When true, repository admins are exempt from all branch protection rules (enforce_admins is disabled). When false (default), admins are also subject to the rules.'
    required: false
    default: 'false'
  skip-pull-request-reviews:
    description: 'When true, sets required_pull_request_reviews to null (removes PR review requirement). Use temporarily before automated merges so the merge API is not blocked. When false (default), PR reviews are required as configured.'
    required: false
    default: 'false'

runs:
  using: composite
  steps:
    - name: 'Lock branch ${{ inputs.branch }}'
      shell: bash
      env:
        GH_TOKEN: ${{ inputs.token }}
      run: |
        ENFORCE_ADMINS=true
        if [ '${{ inputs.bypass-admins }}' = 'true' ]; then
          ENFORCE_ADMINS=false
        fi

        PAYLOAD=$(jq -n \
          --argjson review_count '${{ inputs.required-approving-review-count }}' \
          --argjson dismiss_stale '${{ inputs.dismiss-stale-reviews }}' \
          --argjson enforce_admins "$ENFORCE_ADMINS" \
          --argjson lock_branch '${{ inputs.lock-branch }}' \
          --argjson skip_reviews '${{ inputs.skip-pull-request-reviews }}' \
          '{
            "required_status_checks": null,
            "enforce_admins": $enforce_admins,
            "required_pull_request_reviews": (if $skip_reviews then null else {
              "dismiss_stale_reviews": $dismiss_stale,
              "require_code_owner_reviews": false,
              "required_approving_review_count": $review_count
            } end),
            "restrictions": null,
            "allow_force_pushes": false,
            "allow_deletions": false,
            "lock_branch": $lock_branch
          }')

        if ! echo "$PAYLOAD" | gh api --method PUT /repos/${{ github.repository }}/branches/${{ inputs.branch }}/protection --input -; then
          echo "::error::Failed to apply branch protection to '${{ inputs.branch }}'. Ensure the token has 'administration: write' permission and the branch exists."
          exit 1
        fi
        echo "🔒 Branch '${{ inputs.branch }}' is now protected." >> $GITHUB_STEP_SUMMARY