From 4106ffa721010080c9aeba7da7faa8dd5ea227f8 Mon Sep 17 00:00:00 2001 From: "Piotr P. Karwasz" Date: Tue, 14 Apr 2026 18:23:51 +0200 Subject: [PATCH 1/2] Test GitHub Rulesets support in `.asf.yaml` This change migrates branch protection from the deprecated [Protected Branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches) feature to [Rulesets](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets), using the new `rulesets` key added in apache/infrastructure-asfyaml#89. ## WhyRulesets? - Rules are publicly visible at https://github.com/apache/logging-parent/rules - The same ruleset can be applied to multiple branches simultaneously - `app_slug` identifiers replace fragile numeric `app_id` values The `required_signatures` rule was also dropped, as the project decided commit signing is not useful. ## Testing strategy The `.asf.yaml` file for Rulesets is only processed from the default branch. This means any mistake on `main` cannot be corrected without direct push access, which itself would be blocked by the broken rule. To avoid that trap, this PR: 1. Applies the new ruleset only to `test/rulesets`, leaving `main` temporarily unprotected 2. This allows direct fixes to `main` if the ruleset turns out to be misconfigured Once the ruleset is verified to be correct on test/rulesets, a follow-up PR will apply it to `main` and restore full protection. --- .asf.yaml | 31 +++++++++++++++++++++---------- 1 file changed, 21 insertions(+), 10 deletions(-) diff --git a/.asf.yaml b/.asf.yaml index 32f9b9c7..29485d91 100644 --- a/.asf.yaml +++ b/.asf.yaml @@ -16,7 +16,14 @@ # # `.asf.yaml` is a branch-specific YAML configuration file for Git repositories to control features such as notifications, GitHub settings, etc. -# See its documentation for details: https://cwiki.apache.org/confluence/display/INFRA/Git+-+.asf.yaml+features +# See its documentation for details: https://github.com/apache/infrastructure-asfyaml + +# +# Additional non-standard features +# +meta: + environments: + - github_rulesets # Bare minimum `notifications` to # @@ -61,21 +68,25 @@ github: features: issues: true - # Prevent force pushes to primary branches - protected_branches: - main: - # All commits must be signed - required_signatures: true + # Clear Protected Branches configuration: it is replaced by GitHub Rulesets + protected_branches: { } + + rulesets: + - name: "Branch protection" + type: branch + branches: + includes: + - "test/rulesets" # All reviews must be addressed before merging required_conversation_resolution: true # Require checks to pass before merging required_status_checks: checks: - # The GitHub Actions app: 15368 - - app_id: 15368 + # The GitHub Actions app + - app_slug: github-actions context: "build / build (ubuntu-latest)" - # The GitHub Advanced Security app: 57789 - - app_id: 57789 + # The GitHub Advanced Security app + - app_slug: github-advanced-security context: "CodeQL" # At least one positive review must be present required_pull_request_reviews: From 0ab295e6801760e50aa174f1560b93123ea7421f Mon Sep 17 00:00:00 2001 From: "Piotr P. Karwasz" Date: Tue, 14 Apr 2026 22:31:01 +0200 Subject: [PATCH 2/2] fix: `required_status_checks` syntax --- .asf.yaml | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/.asf.yaml b/.asf.yaml index 29485d91..22857af6 100644 --- a/.asf.yaml +++ b/.asf.yaml @@ -81,13 +81,12 @@ github: required_conversation_resolution: true # Require checks to pass before merging required_status_checks: - checks: - # The GitHub Actions app - - app_slug: github-actions - context: "build / build (ubuntu-latest)" - # The GitHub Advanced Security app - - app_slug: github-advanced-security - context: "CodeQL" + # The GitHub Actions app + - app_slug: github-actions + name: "build / build (ubuntu-latest)" + # The GitHub Advanced Security app + - app_slug: github-advanced-security + name: "CodeQL" # At least one positive review must be present required_pull_request_reviews: required_approving_review_count: 1