Skip to content

Commit 2a7d54c

Browse files
authored
docs(053): Go Report Card/pkg.go.dev badges + branch-protection policy (WP-D1, WP-B6) (#507)
* docs(053): branch-protection policy for main (WP-B6) * docs(053): record execution status of OSS-hardening work packages
1 parent 13dd523 commit 2a7d54c

2 files changed

Lines changed: 108 additions & 0 deletions

File tree

docs/branch-protection.md

Lines changed: 90 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,90 @@
1+
# Branch Protection Policy — `main`
2+
3+
This document describes the intended branch-protection rules for the `main` branch of `mcpproxy-go`.
4+
**Applying or changing these rules is a human/admin action** — the repository owner must run the snippet below or configure the settings manually in the GitHub UI.
5+
6+
---
7+
8+
## Intended Rules
9+
10+
| Rule | Setting |
11+
|------|---------|
12+
| Require pull-request review before merging | ✅ enabled (`REVIEW_REQUIRED`) |
13+
| Required approving reviews | 1 |
14+
| Dismiss stale reviews on new push | ✅ enabled |
15+
| Require status checks to pass before merging | ✅ enabled |
16+
| Required status checks | `lint`, `unit-tests`, `e2e-tests`, `CodeQL`, `Scorecard` |
17+
| Require branches to be up to date before merging | ✅ enabled |
18+
| Require linear history (no merge commits) | ✅ enabled |
19+
| Allow force-pushes | ❌ disabled |
20+
| Allow deletions | ❌ disabled |
21+
| Restrict who can push to matching branches | repository admins only |
22+
23+
---
24+
25+
## Applying / Verifying via `gh api`
26+
27+
Run the following as a repository admin. Replace `<OWNER>` and `<REPO>` if needed (defaults: `smart-mcp-proxy` / `mcpproxy-go`).
28+
29+
```bash
30+
gh api \
31+
--method PUT \
32+
-H "Accept: application/vnd.github+json" \
33+
/repos/smart-mcp-proxy/mcpproxy-go/branches/main/protection \
34+
--input - <<'EOF'
35+
{
36+
"required_status_checks": {
37+
"strict": true,
38+
"contexts": [
39+
"lint",
40+
"unit-tests",
41+
"e2e-tests",
42+
"CodeQL",
43+
"Scorecard"
44+
]
45+
},
46+
"enforce_admins": false,
47+
"required_pull_request_reviews": {
48+
"dismiss_stale_reviews": true,
49+
"require_code_owner_reviews": false,
50+
"required_approving_review_count": 1
51+
},
52+
"restrictions": null,
53+
"required_linear_history": true,
54+
"allow_force_pushes": false,
55+
"allow_deletions": false
56+
}
57+
EOF
58+
```
59+
60+
To **verify** the current settings without changing them:
61+
62+
```bash
63+
gh api \
64+
-H "Accept: application/vnd.github+json" \
65+
/repos/smart-mcp-proxy/mcpproxy-go/branches/main/protection
66+
```
67+
68+
---
69+
70+
## Status Check Names
71+
72+
The `contexts` array above must exactly match the job names (or check names) reported by GitHub Actions.
73+
Confirm the current names with:
74+
75+
```bash
76+
gh api /repos/smart-mcp-proxy/mcpproxy-go/commits/main/check-runs \
77+
--jq '.check_runs[].name' | sort -u
78+
```
79+
80+
Adjust the list in the `PUT` payload if CI job names change.
81+
82+
---
83+
84+
## Notes
85+
86+
- `enforce_admins: false` is intentional so that emergency hotfix merges by admins are still possible; set to `true` for stricter enforcement.
87+
- `restrictions: null` means no push restrictions beyond the PR requirement.
88+
- Linear history prevents merge commits; contributors must rebase their branches before merging.
89+
- The Scorecard check is produced by the `scorecard.yml` workflow added in Spec 053 (WP-B3).
90+
- The CodeQL check is produced by `codeql.yml` (WP-B1).

specs/053-oss-repo-improvements/spec.md

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,24 @@ independent work packages (WPs) so each can be executed in its own session/PR.
2424

2525
---
2626

27+
## Execution status
28+
29+
| Work package | State | Reference |
30+
|--------------|-------|-----------|
31+
| WP-A1, WP-A3 | ✅ Shipped (merged) | PR #500 |
32+
| WP-B1, WP-B2, WP-B3, WP-B4, WP-B5 | ✅ Shipped (merged) | PR #501 |
33+
| WP-C1, WP-C2, WP-C3, WP-C4 | ✅ Shipped (merged) | PR #502 |
34+
| WP-D1 (Go Report Card A+; pkg.go.dev indexed; badges already in README), WP-B6 | 🔄 In review | PR #507 |
35+
| WP-C5 (commitlint PR-title check) | 🔄 In review | PR #508 |
36+
| WP-D2 (server.json → v0.33.1 + publish guide; `packages[]` empty until Docker image ships, `remotes[]` describes HTTP transport) | 🔄 In review | PR #509 |
37+
| WP-A2, WP-F1, WP-F2 (GitHub Sponsors + tiers + outreach) | ⛔ Blocked on user | needs accounts/Stripe |
38+
| WP-F3 | ⛔ Blocked on user | depends on A2/F1 |
39+
| WP-D2 publishing step (registry auth), WP-D3 (awesome-list PRs) | ⛔ Blocked on user | external submission |
40+
| WP-E1, WP-E2, WP-E3 (blog drafts) | ⛔ Blocked on user | drafts agent-able, launch user-led |
41+
| WP-G1 (docs Diátaxis restructure) | ⛔ Blocked on user ||
42+
43+
---
44+
2745
## Track A — Finish Phase 1 (quick wins)
2846

2947
### WP-A1 · Kubernetes-style label taxonomy

0 commit comments

Comments
 (0)