From 6ffa07b6e7cf9a84207534b758847122cb8821a4 Mon Sep 17 00:00:00 2001 From: Jarek Potiuk Date: Mon, 18 May 2026 02:27:50 +0200 Subject: [PATCH] chore(asf): enable required-status-checks protection on main MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ASF Infra was previously not configuring any branch protection on `main` for this repo — verified via the GitHub protection API (`branches/main/protection` → 404, `branches/main.protected` → false) and confirmed by the prior `.asf.yaml` comment ("No `protected_branches:` block by design"). The comment also said "configured directly in GitHub for now", but inspection shows no direct-on-GitHub rule was ever created. This change moves branch-protection ownership into `.asf.yaml` where it sits next to the rest of the repo config. What landed in `.asf.yaml`: - New `protected_branches: main:` block. - `required_status_checks` lists the eleven contexts that run on every PR against `main` (so they always post a status — a prerequisite for classic branch-protection's required-checks model, which lacks "require only if run" semantics): * Analyze (python) * Analyze (actions) * zizmor * prek * pytest (oauth-draft) * pytest (generate-cve-json) * pytest (skill-validator) * pytest (privacy-llm-checker) * pytest (privacy-llm-redactor) * pytest (vulnogram-oauth-api) * pytest (sandbox-lint) Path-filtered workflows (`asf-allowlist-check`, sandbox-lint's `lint .claude/settings.json against baseline`) are deliberately excluded — making them required would block any PR that didn't touch the filtered paths. `lychee` (link-check) is also excluded; external link rot is a maintenance concern handled by the daily scheduled run, not a merge-blocker. `strict: false` so a merge to `main` does not invalidate every other open PR — standard ASF multi-contributor practice. - `required_linear_history: true` matches the existing `enabled_merge_buttons.squash: true` setting — squash is the only enabled merge mode. - `required_conversation_resolution: true` blocks merge while any review thread is unresolved. Bites independently of the approval requirement. - `required_signatures: false` — external contributors without configured GPG/SSH signing would otherwise be blocked from contributing. - `required_pull_request_reviews:` deliberately OMITTED for now, with a prominent TEMPORARY POSTURE block in the .asf.yaml comments calling out that approvals MUST be re-enabled when the project establishes its own PMC. The framework is in bootstrap under the Airflow PMC umbrella with a small committer set (MISSION.md); requiring approvals at this stage would block routine maintainer self-merges. Status checks alone gate merges in the interim. ASF Infra reconciles `.asf.yaml` within a few minutes of merge. The very next PR against `main` will block on all eleven status checks — including a maintainer's own PRs — but no approval is required for self-merge during this temporary posture. Generated-by: Claude Code (Opus 4.7) --- .asf.yaml | 76 ++++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 73 insertions(+), 3 deletions(-) diff --git a/.asf.yaml b/.asf.yaml index 4e72a8c3..f470a4c7 100644 --- a/.asf.yaml +++ b/.asf.yaml @@ -100,9 +100,79 @@ github: # asfyaml / PyGithub interaction is fixed upstream and a release # workflow exists that needs the environment. - # No `protected_branches:` block by design — branch protections are - # configured directly in GitHub for now. Add here when the project's - # release / branching policy stabilises. + # Branch protection on `main`. ASF Infra reconciles this within a + # few minutes of merge to main (asfyaml feature + # `protected_branches`). Earlier note about "configured directly in + # GitHub" was superseded by inspection — no direct-on-GitHub rule + # ever existed, so the protection now lives here next to the rest + # of the repo config. + # + # TEMPORARY POSTURE — REVISIT AT PMC FORMATION + # -------------------------------------------- + # Pull-request approvals are intentionally NOT required while the + # framework is in its bootstrap phase under the Airflow PMC + # umbrella with a small set of committers (see MISSION.md). Once + # the project establishes its own PMC, this block MUST be + # revisited: add a `required_pull_request_reviews:` section with + # `required_approving_review_count: 1` (or higher) and + # `dismiss_stale_reviews` / `require_code_owner_reviews` tuned to + # the new committer / CODEOWNERS shape. Until then, status checks + # alone gate merges — a maintainer can self-merge after CI green. + protected_branches: + main: + # Required status checks. Listed contexts MUST run on every PR + # against `main` — path-filtered workflows are excluded + # (classic branch-protection has no "require only if run" + # semantics, so a path-filtered job that doesn't post a status + # would block the PR). Excluded for that reason: + # `asf-allowlist-check` (paths: `.github/**`) and + # `lint .claude/settings.json against baseline` from + # sandbox-lint (paths: `.claude/settings.json` + + # `tools/sandbox-lint/**`). Also excluded: `lychee` (the + # link-check runs on every PR, but external link rot is a + # maintenance concern handled by the daily schedule — it is + # not a merge-blocker). + required_status_checks: + # `strict: false` — don't require the PR branch to be up + # to date with `main` before merging. With `strict: true`, + # every merge to `main` invalidates every other open PR and + # forces a rebase loop. False matches typical ASF practice + # for multi-contributor repos. + strict: false + contexts: + # CodeQL — two matrix legs (Python + GitHub Actions YAML). + - "Analyze (python)" + - "Analyze (actions)" + # zizmor (GitHub Actions security lint; complements CodeQL). + - "zizmor" + # Pre-commit (prek) — static checks across the repo. + - "prek" + # Per-project pytest matrix from tests.yml. Mirrors the + # `matrix.project[].name` list there; keep these two + # lists in sync when projects are added or renamed. + - "pytest (oauth-draft)" + - "pytest (generate-cve-json)" + - "pytest (skill-validator)" + - "pytest (privacy-llm-checker)" + - "pytest (privacy-llm-redactor)" + - "pytest (vulnogram-oauth-api)" + - "pytest (sandbox-lint)" + # `required_pull_request_reviews:` deliberately omitted — see + # the TEMPORARY POSTURE note above. Re-add at PMC formation. + # + # Linear history matches `enabled_merge_buttons.squash: true` + # above — squash is the only enabled merge mode, so every + # merge results in a single commit on top of main. + required_linear_history: true + # Block merge while review threads remain unresolved. This + # bites even without an approval requirement: any reviewer + # who opens a thread blocks merge until it is resolved. + required_conversation_resolution: true + # Do NOT require signed commits. External contributors + # without configured GPG/SSH signing would be unable to + # contribute. Re-enable if/when the project adopts a + # committer-only signing policy. + required_signatures: false notifications: # The framework is hosted under the Airflow PMC umbrella for now;