|
| 1 | +# Branch Protection Policy — `main` |
| 2 | + |
| 3 | +This document describes the intended branch-protection rules for the `main` branch of `mcpproxy-go`. |
| 4 | +**Applying or changing these rules is a human/admin action** — the repository owner must run the snippet below or configure the settings manually in the GitHub UI. |
| 5 | + |
| 6 | +--- |
| 7 | + |
| 8 | +## Intended Rules |
| 9 | + |
| 10 | +| Rule | Setting | |
| 11 | +|------|---------| |
| 12 | +| Require pull-request review before merging | ✅ enabled (`REVIEW_REQUIRED`) | |
| 13 | +| Required approving reviews | 1 | |
| 14 | +| Dismiss stale reviews on new push | ✅ enabled | |
| 15 | +| Require status checks to pass before merging | ✅ enabled | |
| 16 | +| Required status checks | `lint`, `unit-tests`, `e2e-tests`, `CodeQL`, `Scorecard` | |
| 17 | +| Require branches to be up to date before merging | ✅ enabled | |
| 18 | +| Require linear history (no merge commits) | ✅ enabled | |
| 19 | +| Allow force-pushes | ❌ disabled | |
| 20 | +| Allow deletions | ❌ disabled | |
| 21 | +| Restrict who can push to matching branches | repository admins only | |
| 22 | + |
| 23 | +--- |
| 24 | + |
| 25 | +## Applying / Verifying via `gh api` |
| 26 | + |
| 27 | +Run the following as a repository admin. Replace `<OWNER>` and `<REPO>` if needed (defaults: `smart-mcp-proxy` / `mcpproxy-go`). |
| 28 | + |
| 29 | +```bash |
| 30 | +gh api \ |
| 31 | + --method PUT \ |
| 32 | + -H "Accept: application/vnd.github+json" \ |
| 33 | + /repos/smart-mcp-proxy/mcpproxy-go/branches/main/protection \ |
| 34 | + --input - <<'EOF' |
| 35 | +{ |
| 36 | + "required_status_checks": { |
| 37 | + "strict": true, |
| 38 | + "contexts": [ |
| 39 | + "lint", |
| 40 | + "unit-tests", |
| 41 | + "e2e-tests", |
| 42 | + "CodeQL", |
| 43 | + "Scorecard" |
| 44 | + ] |
| 45 | + }, |
| 46 | + "enforce_admins": false, |
| 47 | + "required_pull_request_reviews": { |
| 48 | + "dismiss_stale_reviews": true, |
| 49 | + "require_code_owner_reviews": false, |
| 50 | + "required_approving_review_count": 1 |
| 51 | + }, |
| 52 | + "restrictions": null, |
| 53 | + "required_linear_history": true, |
| 54 | + "allow_force_pushes": false, |
| 55 | + "allow_deletions": false |
| 56 | +} |
| 57 | +EOF |
| 58 | +``` |
| 59 | + |
| 60 | +To **verify** the current settings without changing them: |
| 61 | + |
| 62 | +```bash |
| 63 | +gh api \ |
| 64 | + -H "Accept: application/vnd.github+json" \ |
| 65 | + /repos/smart-mcp-proxy/mcpproxy-go/branches/main/protection |
| 66 | +``` |
| 67 | + |
| 68 | +--- |
| 69 | + |
| 70 | +## Status Check Names |
| 71 | + |
| 72 | +The `contexts` array above must exactly match the job names (or check names) reported by GitHub Actions. |
| 73 | +Confirm the current names with: |
| 74 | + |
| 75 | +```bash |
| 76 | +gh api /repos/smart-mcp-proxy/mcpproxy-go/commits/main/check-runs \ |
| 77 | + --jq '.check_runs[].name' | sort -u |
| 78 | +``` |
| 79 | + |
| 80 | +Adjust the list in the `PUT` payload if CI job names change. |
| 81 | + |
| 82 | +--- |
| 83 | + |
| 84 | +## Notes |
| 85 | + |
| 86 | +- `enforce_admins: false` is intentional so that emergency hotfix merges by admins are still possible; set to `true` for stricter enforcement. |
| 87 | +- `restrictions: null` means no push restrictions beyond the PR requirement. |
| 88 | +- Linear history prevents merge commits; contributors must rebase their branches before merging. |
| 89 | +- The Scorecard check is produced by the `scorecard.yml` workflow added in Spec 053 (WP-B3). |
| 90 | +- The CodeQL check is produced by `codeql.yml` (WP-B1). |
0 commit comments