Skip to content

Commit 54a2ce4

Browse files
authored
chore(asf): enable required-status-checks protection on main (#204)
ASF Infra was previously not configuring any branch protection on `main` for this repo — verified via the GitHub protection API (`branches/main/protection` → 404, `branches/main.protected` → false) and confirmed by the prior `.asf.yaml` comment ("No `protected_branches:` block by design"). The comment also said "configured directly in GitHub for now", but inspection shows no direct-on-GitHub rule was ever created. This change moves branch-protection ownership into `.asf.yaml` where it sits next to the rest of the repo config. What landed in `.asf.yaml`: - New `protected_branches: main:` block. - `required_status_checks` lists the eleven contexts that run on every PR against `main` (so they always post a status — a prerequisite for classic branch-protection's required-checks model, which lacks "require only if run" semantics): * Analyze (python) * Analyze (actions) * zizmor * prek * pytest (oauth-draft) * pytest (generate-cve-json) * pytest (skill-validator) * pytest (privacy-llm-checker) * pytest (privacy-llm-redactor) * pytest (vulnogram-oauth-api) * pytest (sandbox-lint) Path-filtered workflows (`asf-allowlist-check`, sandbox-lint's `lint .claude/settings.json against baseline`) are deliberately excluded — making them required would block any PR that didn't touch the filtered paths. `lychee` (link-check) is also excluded; external link rot is a maintenance concern handled by the daily scheduled run, not a merge-blocker. `strict: false` so a merge to `main` does not invalidate every other open PR — standard ASF multi-contributor practice. - `required_linear_history: true` matches the existing `enabled_merge_buttons.squash: true` setting — squash is the only enabled merge mode. - `required_conversation_resolution: true` blocks merge while any review thread is unresolved. Bites independently of the approval requirement. - `required_signatures: false` — external contributors without configured GPG/SSH signing would otherwise be blocked from contributing. - `required_pull_request_reviews:` deliberately OMITTED for now, with a prominent TEMPORARY POSTURE block in the .asf.yaml comments calling out that approvals MUST be re-enabled when the project establishes its own PMC. The framework is in bootstrap under the Airflow PMC umbrella with a small committer set (MISSION.md); requiring approvals at this stage would block routine maintainer self-merges. Status checks alone gate merges in the interim. ASF Infra reconciles `.asf.yaml` within a few minutes of merge. The very next PR against `main` will block on all eleven status checks — including a maintainer's own PRs — but no approval is required for self-merge during this temporary posture. Generated-by: Claude Code (Opus 4.7)
1 parent ca509e9 commit 54a2ce4

1 file changed

Lines changed: 73 additions & 3 deletions

File tree

.asf.yaml

Lines changed: 73 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -100,9 +100,79 @@ github:
100100
# asfyaml / PyGithub interaction is fixed upstream and a release
101101
# workflow exists that needs the environment.
102102

103-
# No `protected_branches:` block by design — branch protections are
104-
# configured directly in GitHub for now. Add here when the project's
105-
# release / branching policy stabilises.
103+
# Branch protection on `main`. ASF Infra reconciles this within a
104+
# few minutes of merge to main (asfyaml feature
105+
# `protected_branches`). Earlier note about "configured directly in
106+
# GitHub" was superseded by inspection — no direct-on-GitHub rule
107+
# ever existed, so the protection now lives here next to the rest
108+
# of the repo config.
109+
#
110+
# TEMPORARY POSTURE — REVISIT AT PMC FORMATION
111+
# --------------------------------------------
112+
# Pull-request approvals are intentionally NOT required while the
113+
# framework is in its bootstrap phase under the Airflow PMC
114+
# umbrella with a small set of committers (see MISSION.md). Once
115+
# the project establishes its own PMC, this block MUST be
116+
# revisited: add a `required_pull_request_reviews:` section with
117+
# `required_approving_review_count: 1` (or higher) and
118+
# `dismiss_stale_reviews` / `require_code_owner_reviews` tuned to
119+
# the new committer / CODEOWNERS shape. Until then, status checks
120+
# alone gate merges — a maintainer can self-merge after CI green.
121+
protected_branches:
122+
main:
123+
# Required status checks. Listed contexts MUST run on every PR
124+
# against `main` — path-filtered workflows are excluded
125+
# (classic branch-protection has no "require only if run"
126+
# semantics, so a path-filtered job that doesn't post a status
127+
# would block the PR). Excluded for that reason:
128+
# `asf-allowlist-check` (paths: `.github/**`) and
129+
# `lint .claude/settings.json against baseline` from
130+
# sandbox-lint (paths: `.claude/settings.json` +
131+
# `tools/sandbox-lint/**`). Also excluded: `lychee` (the
132+
# link-check runs on every PR, but external link rot is a
133+
# maintenance concern handled by the daily schedule — it is
134+
# not a merge-blocker).
135+
required_status_checks:
136+
# `strict: false` — don't require the PR branch to be up
137+
# to date with `main` before merging. With `strict: true`,
138+
# every merge to `main` invalidates every other open PR and
139+
# forces a rebase loop. False matches typical ASF practice
140+
# for multi-contributor repos.
141+
strict: false
142+
contexts:
143+
# CodeQL — two matrix legs (Python + GitHub Actions YAML).
144+
- "Analyze (python)"
145+
- "Analyze (actions)"
146+
# zizmor (GitHub Actions security lint; complements CodeQL).
147+
- "zizmor"
148+
# Pre-commit (prek) — static checks across the repo.
149+
- "prek"
150+
# Per-project pytest matrix from tests.yml. Mirrors the
151+
# `matrix.project[].name` list there; keep these two
152+
# lists in sync when projects are added or renamed.
153+
- "pytest (oauth-draft)"
154+
- "pytest (generate-cve-json)"
155+
- "pytest (skill-validator)"
156+
- "pytest (privacy-llm-checker)"
157+
- "pytest (privacy-llm-redactor)"
158+
- "pytest (vulnogram-oauth-api)"
159+
- "pytest (sandbox-lint)"
160+
# `required_pull_request_reviews:` deliberately omitted — see
161+
# the TEMPORARY POSTURE note above. Re-add at PMC formation.
162+
#
163+
# Linear history matches `enabled_merge_buttons.squash: true`
164+
# above — squash is the only enabled merge mode, so every
165+
# merge results in a single commit on top of main.
166+
required_linear_history: true
167+
# Block merge while review threads remain unresolved. This
168+
# bites even without an approval requirement: any reviewer
169+
# who opens a thread blocks merge until it is resolved.
170+
required_conversation_resolution: true
171+
# Do NOT require signed commits. External contributors
172+
# without configured GPG/SSH signing would be unable to
173+
# contribute. Re-enable if/when the project adopts a
174+
# committer-only signing policy.
175+
required_signatures: false
106176

107177
notifications:
108178
# The framework is hosted under the Airflow PMC umbrella for now;

0 commit comments

Comments
 (0)