From e929ebe4ffc90cf0594ec8256358acd9ee921477 Mon Sep 17 00:00:00 2001
From: "Piotr P. Karwasz" <pkarwasz-github@apache.org>
Date: Tue, 12 May 2026 23:51:01 +0200
Subject: [PATCH 1/4] Add GitHub Rulesets via `.asf.yaml`

Configure a minimal Ruleset to:

- Prevent deletion and force-push on the default (`master`) branch and the `release` branch.
- Prevent deletion, force-push, or update of any `rel/*` tag.

Together, these rules satisfy the Tier 1 protection level defined by [Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection) and should allow for [SLSA Source L3](https://slsa.dev/spec/v1.2/source-requirements#source-l3) compliance, once we introduce a workflow to push provenance attestation at each commit.
---
 .asf.yaml | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/.asf.yaml b/.asf.yaml
index ac7409dd8..3ae43cdb1 100644
--- a/.asf.yaml
+++ b/.asf.yaml
@@ -13,6 +13,13 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+#
+# Additional non-standard features
+#
+meta:
+  environments:
+    - github_rulesets
+
 github:
   description: "Apache Commons Parent"
   homepage: https://commons.apache.org/parent/
@@ -28,3 +35,29 @@ notifications:
     pullrequests_bot_dependabot: dependabot@commons.apache.org
     issues_bot_codecov-commenter: notifications@commons.apache.org
     pullrequests_bot_codecov-commenter: notifications@commons.apache.org
+
+  # Clear Protected Branches configuration: it is replaced by GitHub Rulesets
+    protected_branches: ~
+
+    rulesets:
+      # Use minimum level of protection: restrict deletion and force pushes.
+      - name: "Branch protection"
+        type: branch
+        branches:
+          includes:
+            - "~DEFAULT_BRANCH"
+            - "release"
+      # Use raw rules, until a convenience notation for `restrict_update` is introduced.
+      # See: https://github.com/apache/infrastructure-asfyaml/issues/96
+      #
+      # The raw rules need to follow the syntax given in:
+      # https://docs.github.com/en/rest/repos/rules?apiVersion=2026-03-10#update-a-repository-ruleset
+      - name: "Tag protection"
+        type: tag
+        branches:
+          includes:
+            - "rel/*"
+        rules:
+          - type: deletion
+          - type: non_fast_forward
+          - type: update

From 37cc35b31c8961be8d1a370e8aedcaef31716761 Mon Sep 17 00:00:00 2001
From: "Piotr P. Karwasz" <pkarwasz-github@apache.org>
Date: Wed, 13 May 2026 02:05:51 +0200
Subject: [PATCH 2/4] fix: remove `release` branch

---
 .asf.yaml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.asf.yaml b/.asf.yaml
index 3ae43cdb1..76b0e78ba 100644
--- a/.asf.yaml
+++ b/.asf.yaml
@@ -46,7 +46,6 @@ notifications:
         branches:
           includes:
             - "~DEFAULT_BRANCH"
-            - "release"
       # Use raw rules, until a convenience notation for `restrict_update` is introduced.
       # See: https://github.com/apache/infrastructure-asfyaml/issues/96
       #

From 1d3a2588fea066b13ff9ef6fbc93dbec3786a8b0 Mon Sep 17 00:00:00 2001
From: "Piotr P. Karwasz" <pkarwasz-github@apache.org>
Date: Sun, 17 May 2026 20:41:47 +0200
Subject: [PATCH 3/4] fix: raw rules syntax

---
 .asf.yaml | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/.asf.yaml b/.asf.yaml
index 76b0e78ba..2c038e320 100644
--- a/.asf.yaml
+++ b/.asf.yaml
@@ -52,10 +52,14 @@ notifications:
       # The raw rules need to follow the syntax given in:
       # https://docs.github.com/en/rest/repos/rules?apiVersion=2026-03-10#update-a-repository-ruleset
       - name: "Tag protection"
-        type: tag
-        branches:
-          includes:
-            - "rel/*"
+        target: tag
+        enforcement: active
+        bypass_actors: []
+        conditions:
+          ref_name:
+            include:
+              - "refs/tags/rel/*"
+            exclude: []
         rules:
           - type: deletion
           - type: non_fast_forward

From 3ab1f68c32b293a814e2896b4907235c51c8d501 Mon Sep 17 00:00:00 2001
From: "Piotr P. Karwasz" <pkarwasz-github@apache.org>
Date: Sun, 17 May 2026 20:43:51 +0200
Subject: [PATCH 4/4] fix: `github_rulesets` environment is on by default

---
 .asf.yaml | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/.asf.yaml b/.asf.yaml
index 2c038e320..bd4ec5d43 100644
--- a/.asf.yaml
+++ b/.asf.yaml
@@ -13,13 +13,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-#
-# Additional non-standard features
-#
-meta:
-  environments:
-    - github_rulesets
-
 github:
   description: "Apache Commons Parent"
   homepage: https://commons.apache.org/parent/