Skip to content

feat: implement rulesets for branch protections #2168

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
amustaque97 wants to merge 5 commits into
base: main
Choose a base branch
from
Open

feat: implement rulesets for branch protections #2168

amustaque97 wants to merge 5 commits into from

Conversation

@amustaque97
Copy link
Contributor

@amustaque97 amustaque97 commented Dec 10, 2025

Related to #1735

@amustaque97 amustaque97 marked this pull request as ready for review December 10, 2025 05:06
@github-actions
Copy link

github-actions bot commented Dec 10, 2025

Dry-run check results 

[WARN  sync_team] sync-team is running in dry mode, no changes will be applied.
[INFO  sync_team] synchronizing crates-io
[INFO  sync_team] synchronizing github

@jieyouxu jieyouxu added S-waiting-on-review Status: waiting on review from a team/WG/PG lead, an infra-admin, and/or a team-repo-admin. T-infra Relevant to the infrastructure team. labels Dec 10, 2025
@marcoieni
Copy link
Member

marcoieni commented Dec 15, 2025

unfortunately there are merge conflicts 😭

@amustaque97 amustaque97 force-pushed the feat/1735-add-ruleset-support branch 3 times, most recently from effc88e to a9f0337 Compare December 16, 2025 07:24
marcoieni
marcoieni reviewed Dec 16, 2025
View reviewed changes
marcoieni
marcoieni reviewed Dec 16, 2025
View reviewed changes
@amustaque97 amustaque97 mentioned this pull request Dec 16, 2025
Merged
@amustaque97 amustaque97 force-pushed the feat/1735-add-ruleset-support branch from b667d31 to 2b33998 Compare December 16, 2025 12:11
marcoieni
marcoieni reviewed Dec 16, 2025
View reviewed changes
sync-team/src/github/tests/test_utils.rs Outdated
_org: &str,
_repo: &str,
) -> anyhow::Result<Vec<crate::github::api::Ruleset>> {
// Return empty list for tests - rulesets not used in mock tests yet
Copy link
Member

@marcoieni marcoieni Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do you want to do this in another PR?

Copy link
Contributor Author

@amustaque97 amustaque97 Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My initial idea was to submit a PR with minimum changes and improve it further based on the feedback, and write test cases. This was simple enough, so I pushed the actual test case.
Thanks for highlighting it.

@marcoieni
Copy link
Member

marcoieni commented Dec 17, 2025

This feature is missing:

  • documentation updates for the toml config file
  • a change to a repository (eg bors) to test that the feature works.

Do you want to do these changes in another PR?

marcoieni
marcoieni reviewed Dec 17, 2025
View reviewed changes
marcoieni
marcoieni reviewed Dec 17, 2025
View reviewed changes
marcoieni
marcoieni reviewed Dec 17, 2025
View reviewed changes
@amustaque97
Copy link
Contributor Author

amustaque97 commented Dec 18, 2025
edited
Loading

Do you want to do these changes in another PR?

I was thinking that when we're sure the feature is stable, we can update the docs and extend the feature to have its own standalone config. Right now, it just copies the branch protection rules without an explicit config. Sure, we can accommodate both changes in a single PR. WDYT?

marcoieni
marcoieni reviewed Dec 18, 2025
View reviewed changes
sync-team/src/github/mod.rs

/// Convert a branch protection to a ruleset with merge queue enabled
pub fn construct_ruleset(
_expected_repo: &rust_team_data::v1::Repo,
Copy link
Member

@marcoieni marcoieni Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why this parameter is unused? Should we remove it?

Copy link
Contributor Author

@amustaque97 amustaque97 Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This variable will be used during the implementation of the bypass actor sub-property.

Copy link
Contributor Author

@amustaque97 amustaque97 Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I’m fine keeping this unused variable, since I’ll be addressing the next bypass actor–related issue right after this PR, and then the final configuration and documentation PR.

sync-team/src/github/mod.rs
Comment on lines +892 to +901
let uses_merge_bot = !branch_protection.merge_bots.is_empty();
let branch_protection_mode = if uses_merge_bot {
BranchProtectionMode::PrNotRequired
} else {
branch_protection.mode.clone()
};
Copy link
Member

@marcoieni marcoieni Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no repository uses merge_bot as far as I can see.
This option is not even documented. Why using it?

Maybe I'm missing something.

Copy link
Member

@Kobzol Kobzol Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's used by rust-lang/rust.

sync-team/src/github/mod.rs
min_entries_to_merge: 0,
min_entries_to_merge_wait_minutes: 0,
},
});
Copy link
Member

@marcoieni marcoieni Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no all repos use merge queues.
Probably merge queues should be configured from the repository toml file.
But it can be done in another pr

@marcoieni
Copy link
Member

marcoieni commented Dec 18, 2025
edited
Loading

The dry run seems to work:

    📝 Editing repo 'rust-lang/bors':
      Branch Protections:
          main
            Deleting branch protection
      Rulesets:
          Branch protection for main
            Creating ruleset with merge queue enabled

However it would be nice if the dry run would print the ruleset itself (ie its rules etc).

As an example, you can have a look at the following dry run:

    📝 Editing repo 'rust-lang/cmake-rs':
      Branch Protections:
          main
            Dismiss Stale Reviews: false
            Is admin enforced: true
            Required Approving Review Count: 0
            Requires PR: true
            Required Checks: ["success"]
            Allowances: []
          master
            Deleting branch protection

@marcoieni
Copy link
Member

marcoieni commented Dec 19, 2025

New dry run:

[WARN  sync_team] sync-team is running in dry mode, no changes will be applied.
[INFO  sync_team] synchronizing crates-io
[INFO  sync_team] synchronizing github
[INFO  sync_team] 💻 Repo Diffs:
    📝 Editing repo 'rust-lang/bors':
      Branch Protections:
          main
            Deleting branch protection
      Rulesets:
          Branch protection for main
            Target: Branch
            Source Type: Repository
            Enforcement: Active
            Include Branches: ["main"]
            Rule: Pull Request
              Dismiss Stale Reviews: false
              Require Code Owner Review: false
              Require Last Push Approval: false
              Required Approving Review Count: 0
              Required Review Thread Resolution: false
            Rule: Required Status Checks
              Strict Policy: false
              Checks: ["Test", "Test Docker"]
            Rule: Merge Queue
              Timeout: 360 minutes
              Grouping Strategy: Allgreen
              Merge Method: Merge
              Max Entries to Build: 5
              Max Entries to Merge: 5
              Min Entries to Merge: 0
              Min Wait Time: 0 minutes

@amustaque97
Copy link
Contributor Author

amustaque97 commented Dec 19, 2025

New dry run:

[WARN  sync_team] sync-team is running in dry mode, no changes will be applied.
[INFO  sync_team] synchronizing crates-io
[INFO  sync_team] synchronizing github
[INFO  sync_team] 💻 Repo Diffs:
    📝 Editing repo 'rust-lang/bors':
      Branch Protections:
          main
            Deleting branch protection
      Rulesets:
          Branch protection for main
            Target: Branch
            Source Type: Repository
            Enforcement: Active
            Include Branches: ["main"]
            Rule: Pull Request
              Dismiss Stale Reviews: false
              Require Code Owner Review: false
              Require Last Push Approval: false
              Required Approving Review Count: 0
              Required Review Thread Resolution: false
            Rule: Required Status Checks
              Strict Policy: false
              Checks: ["Test", "Test Docker"]
            Rule: Merge Queue
              Timeout: 360 minutes
              Grouping Strategy: Allgreen
              Merge Method: Merge
              Max Entries to Build: 5
              Max Entries to Merge: 5
              Min Entries to Merge: 0
              Min Wait Time: 0 minutes

This looks good to me. I know most of the values are default/fixed. These will be changed to a full-fledged configuration in the next PR. Thoughts @marcoieni?

@marcoieni
Copy link
Member

marcoieni commented Dec 19, 2025

github com_rust-lang_bors_settings_branch_protection_rules_47732890 bors branch protection rule for backup

marcoieni
marcoieni reviewed Dec 19, 2025
View reviewed changes
sync-team/src/github/mod.rs
}
}
};
}
Copy link
Member

@marcoieni marcoieni Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why this needs to be a macro vs a function taking generics for example? Maybe something we can improve in another pr

@amustaque97 amustaque97 force-pushed the feat/1735-add-ruleset-support branch from a830b7e to de5a87c Compare December 19, 2025 15:02
marcoieni
marcoieni previously approved these changes Dec 19, 2025
View reviewed changes
@marcoieni marcoieni added this pull request to the merge queue Dec 19, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Dec 19, 2025
@marcoieni
Copy link
Member

marcoieni commented Dec 19, 2025
edited
Loading

There was an error while applying:

[ERROR rust_team] failed: Body: "{\"message\":\"Validation Failed\",\"errors\":[\"Invalid target patterns: 'main'\"],\"documentation_url\":\"https://docs.github.com/rest/repos/rules#create-a-repository-ruleset\",\"status\":\"422\"}"

Now bors is without branch protections momentarely.

marcoieni
marcoieni reviewed Dec 19, 2025
View reviewed changes
sync-team/src/github/api/mod.rs
pub(crate) id: Option<i64>,
pub(crate) name: String,
pub(crate) target: RulesetTarget,
pub(crate) source_type: RulesetSourceType,
Copy link
Member

@marcoieni marcoieni Dec 19, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this field is not present in the request, only in the response, right?

Copy link
Contributor Author

@amustaque97 amustaque97 Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The issue was enum RulesetSourceType was not using PascalCase to match GitHub's API format.

Along with this,

  • I also handled the optional fields.
  • Fixed some deserialization issues.

@marcoieni
Copy link
Member

marcoieni commented Dec 19, 2025
edited
Loading

I triggered the workflow manually from the main branch to restore branch protections in bors

@amustaque97 amustaque97 force-pushed the feat/1735-add-ruleset-support branch from de5a87c to 7189083 Compare December 19, 2025 16:37
@amustaque97
Copy link
Contributor Author

amustaque97 commented Dec 19, 2025

I have made all the fixes and run it locally; it is working. Here is the recording for reference.

Screen.Recording.2025-12-19.at.10.56.21.PM.mov

@marcoieni
Copy link
Member

marcoieni commented Dec 19, 2025

Thanks! I don't want to merge this on friday evening because if there are issues I can't fix them, so I will take a look on Monday morning. I hope you don't mind!

Since I re-run the workflow from the main branch, the bors repo has branch protection again 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@marcoieni marcoieni marcoieni left review comments

@Mark-Simulacrum Mark-Simulacrum Awaiting requested review from Mark-Simulacrum Mark-Simulacrum is a code owner

@pietroalbini pietroalbini Awaiting requested review from pietroalbini pietroalbini is a code owner

@jdno jdno Awaiting requested review from jdno jdno is a code owner

+1 more reviewer

@Kobzol Kobzol Kobzol left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

S-waiting-on-review Status: waiting on review from a team/WG/PG lead, an infra-admin, and/or a team-repo-admin. T-infra Relevant to the infrastructure team.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@amustaque97 @marcoieni @Kobzol @jieyouxu