Open
Conversation
This change migrates branch protection from the deprecated [Protected Branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches) feature to [Rulesets](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets), using the new `rulesets` key added in apache/infrastructure-asfyaml#89. ## WhyRulesets? - Rules are publicly visible at https://github.com/apache/logging-parent/rules - The same ruleset can be applied to multiple branches simultaneously - `app_slug` identifiers replace fragile numeric `app_id` values The `required_signatures` rule was also dropped, as the project decided commit signing is not useful. ## Testing strategy The `.asf.yaml` file for Rulesets is only processed from the default branch. This means any mistake on `main` cannot be corrected without direct push access, which itself would be blocked by the broken rule. To avoid that trap, this PR: 1. Applies the new ruleset only to `test/rulesets`, leaving `main` temporarily unprotected 2. This allows direct fixes to `main` if the ruleset turns out to be misconfigured Once the ruleset is verified to be correct on test/rulesets, a follow-up PR will apply it to `main` and restore full protection.
ppkarwasz
added a commit
to apache/logging-log4j2
that referenced
this pull request
Apr 14, 2026
Similarly to apache/logging-parent#456 this PR switches from GitHub Branch Protection to Rulesets and: - Keeps the same rules for `main`, while protection `2.x` is **temporarily** disabled in case we need to update the `.asf.yaml` file. - Adds tag protection for the `rel/*` tags.
There was a problem hiding this comment.
Pull request overview
Migrates repository branch protection configuration in .asf.yaml from legacy Protected Branches to the newer GitHub Rulesets model, using app_slug-based status check identifiers and scoping the ruleset to a test branch for safe verification.
Changes:
- Adds
meta.environments: [github_rulesets]to enable non-standard Rulesets support in.asf.yaml. - Clears
github.protected_branchesand introduces agithub.rulesetsentry targetingtest/rulesets. - Switches required status checks from
app_id/contexttoapp_slug/nameand dropsrequired_signatures.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This change migrates branch protection from the deprecated Protected Branches feature to Rulesets, using the new
rulesetskey added in apache/infrastructure-asfyaml#89.Why Rulesets?
app_slugidentifiers replace fragile numericapp_idvaluesThe
required_signaturesrule was also dropped, as the project decided commit signing is not useful.Testing strategy
The
.asf.yamlfile for Rulesets is only processed from the default branch. This means any mistake onmaincannot be corrected without direct push access, which itself would be blocked by the broken rule. To avoid that trap, this PR:test/rulesets, leavingmaintemporarily unprotectedmainif the ruleset turns out to be misconfiguredOnce the ruleset is verified to be correct on
test/rulesets, I will restore full protection tomainusing a direct push.