Enable branch protection and auto merge

[laeubi]

This enables branch protection and automerge

[laeubi]

I'm not totally sure about this, what I found in some examples it seem to need match a name.

Basically I want that this check is mandatory:
https://github.com/eclipse-tycho/tycho/actions/workflows/licensecheck.yml

[netomi]

the additional eclipsefdn/eca check is is not needed, as it is already inherited from the default.

For the license checking status, you should use

"call-license-check / check-licenses"

I checked it via the web ui and that the status that is detected. It follows the rules that are explained here: https://otterdog.readthedocs.io/en/latest/reference/organization/repository/status-check/

the jenkins status is correct afacit.

[netomi]

here is a screenshot from the web ui:

[laeubi]

Is there a link to the webui? Is it possible to edit the project file with that so one don't need to edit file by hand?

[laeubi]

@netomi thanks for the hints, I now updated the PR.

[github-actions]

Diff for 5c93936:

Printing local diff:

Actions are indicated with the following symbols:
+   create
!   modify
!   forced update
-   delete

Organization technology.tycho[id=eclipse-tycho]
  there have been 3 validation infos, enable verbose output with '-v' to to display them.

  
!   repository[name="tycho"] {
!     allow_auto_merge                 = false -> true
!     allow_merge_commit               = true -> false
!     homepage                         = "" -> "https://tycho.eclipseprojects.io"
!     topics                           = "['build-tool', 'eclipse', 'java']" -> "['build-tool', 'eclipse', 'java', 'maven', 'OSGi']"
!   }

+   add repo_ruleset[name="main", repository="tycho"] {
+     allows_creations                 = false
+     allows_deletions                 = false
+     allows_force_pushes              = false
+     allows_updates                   = true
+     bypass_actors                    = [
+       "@eclipse-tycho/technology-tycho-committers"
+     ],
+     dismisses_stale_reviews          = true
+     enforcement                      = "active"
+     exclude_refs                     = []
+     include_refs                     = [
+       "refs/heads/main"
+     ],
+     name                             = "main"
+     required_approving_review_count  = "0"
+     required_status_checks           = [
+       "eclipse-eca-validation:eclipsefdn/eca"
+       "continuous-integration/jenkins/pr-head"
+       "call-license-check / check-licenses"
+     ],
+     requires_code_owner_review       = false
+     requires_commit_signatures       = false
+     requires_deployments             = false
+     requires_last_push_approval      = false
+     requires_linear_history          = false
+     requires_pull_request            = true
+     requires_review_thread_resolution = false
+     requires_status_checks           = true
+     requires_strict_status_checks    = false
+   }
  
  Plan: 1 to add, 4 to change, 0 to delete.

Canonical Diff for 5c93936:

Showing canonical diff:

Organization technology.tycho[id=eclipse-tycho]

--- canonical
+++ original
@@ -18,8 +18,6 @@
       gh_pages_build_type: "legacy"
       gh_pages_source_branch: "main"
       gh_pages_source_path: "/"
-      secret_scanning: "enabled"
-      secret_scanning_push_protection: "enabled"
       web_commit_signoff_required: false
       workflows+: {
         default_workflow_permissions: "write"
@@ -27,7 +25,6 @@
     }
     orgs.newRepo('tycho') {
       allow_auto_merge: true
-      allow_merge_commit: false
       delete_branch_on_merge: false
       dependabot_security_updates_enabled: true
       description: "Tycho project repository (tycho)"
@@ -52,8 +49,6 @@
           requires_review_thread_resolution: false
         }
       ]
-      secret_scanning: "enabled"
-      secret_scanning_push_protection: "enabled"
       secrets: [
         orgs.newRepoSecret('GIST_TOKEN') {
           value: "********"

[netomi]

LGTM, can some project lead approve that change?

[laeubi]

I approve this as PL of Tycho project, maybe @akurtakov can give approval as well.

[akurtakov]

Fine with me.

[laeubi]

@netomi one thing I noticed:

I cant approve this PR because it says

Pull request authors can’t approve their own pull request

that seems a bit odd here as a PL can then never approve its own proposed changes :-D

[netomi]

@netomi one thing I noticed:

I cant approve this PR because it says

Pull request authors can’t approve their own pull request

that seems a bit odd here as a PL can then never approve its own proposed changes :-D

thats normal GitHub behavior. You cant approve your own PRs.

[netomi]

changes are live. Two minor things that I had to fix:

• topics must start with a lowercase letter or number, so OSGi was not allowed, I changed that to osgi, will add a validation rule
• the committers team could not be used as bypass actor as it is a secret team, and secret teams can not be used for that. We plan to change the team to public but for now I enabled bypass for all actors with write permissions to the repo which is more or less the same as committers

[laeubi]

@netomi thanks, anyone with write access is fine, we want to use the protection rules manly for auto merge feature and otherwhise trust that committers do the right things (e.g. only bypass checks if they are sure it will fix something very important and the check is broken).