feat: implement rulesets for branch protections

config.toml

@@ -80,3 +80,7 @@ members-without-zulip-id = [
     "therealprof",
     "zeenix"
 ]
+
+enable-rulesets-repos = [
+   "rust-lang/bors"
+]

src/data.rs

@@ -235,6 +235,7 @@ impl Data {
         Ok(sync_team::Config {
             special_org_members,
             independent_github_orgs: self.config.independent_github_orgs().clone(),
+            enable_rulesets_repos: self.config.enable_rulesets_repos().clone(),
         })
     }
 }

src/schema.rs

@@ -16,6 +16,8 @@ pub(crate) struct Config {
     // Use a BTreeSet for consistent ordering in tests
     special_org_members: BTreeSet<String>,
     members_without_zulip_id: BTreeSet<String>,
+    #[serde(default)]
+    enable_rulesets_repos: BTreeSet<String>,
 }
 
 impl Config {
@@ -46,6 +48,10 @@ impl Config {
     pub(crate) fn members_without_zulip_id(&self) -> &BTreeSet<String> {
         &self.members_without_zulip_id
     }
+
+    pub(crate) fn enable_rulesets_repos(&self) -> &BTreeSet<String> {
+        &self.enable_rulesets_repos
+    }
 }
 
 // This is an enum to allow two kinds of values for the email field:

sync-team/Cargo.toml

@@ -14,6 +14,7 @@ base64.workspace = true
 hyper-old-types.workspace = true
 serde_json.workspace = true
 secrecy.workspace = true
+indexmap.workspace = true
 
 [dev-dependencies]
 indexmap.workspace = true

sync-team/src/github/api/mod.rs

@@ -479,3 +479,160 @@ pub(crate) struct RepoSettings {
     pub archived: bool,
     pub auto_merge_enabled: bool,
 }
+
+/// GitHub Repository Ruleset
+#[derive(Clone, Debug, PartialEq, Eq, serde::Serialize, serde::Deserialize)]
+pub(crate) struct Ruleset {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub(crate) id: Option<i64>,
+    pub(crate) name: String,
+    pub(crate) target: RulesetTarget,
+    pub(crate) source_type: RulesetSourceType,
+    pub(crate) enforcement: RulesetEnforcement,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub(crate) bypass_actors: Option<Vec<RulesetBypassActor>>,
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub(crate) conditions: Option<RulesetConditions>,
+    #[serde(default, skip_serializing_if = "Vec::is_empty")]
+    pub(crate) rules: Vec<RulesetRule>,
+}
+
+#[derive(Clone, Debug, PartialEq, Eq, serde::Serialize, serde::Deserialize)]
+#[serde(rename_all = "lowercase")]
+pub(crate) enum RulesetTarget {
+    Branch,
+    Tag,
+}
+
+#[derive(Clone, Debug, PartialEq, Eq, serde::Serialize, serde::Deserialize)]
+#[serde(rename_all = "PascalCase")]
+pub(crate) enum RulesetSourceType {
+    Repository,
+    Organization,
+}
+
+#[derive(Clone, Debug, PartialEq, Eq, serde::Serialize, serde::Deserialize)]
+#[serde(rename_all = "lowercase")]
+pub(crate) enum RulesetEnforcement {
+    Active,
+    Disabled,
+    Evaluate,
+}
+
+#[derive(Clone, Debug, PartialEq, Eq, serde::Serialize, serde::Deserialize)]
+pub(crate) struct RulesetBypassActor {
+    pub(crate) actor_id: i64,
+    pub(crate) actor_type: RulesetActorType,
+    pub(crate) bypass_mode: RulesetBypassMode,
+}
+
+#[derive(Clone, Debug, PartialEq, Eq, serde::Serialize, serde::Deserialize)]
+#[serde(rename_all = "snake_case")]
+pub(crate) enum RulesetActorType {
+    Integration,
+    OrganizationAdmin,
+    RepositoryRole,
+    Team,
+}
+
+#[derive(Clone, Debug, PartialEq, Eq, serde::Serialize, serde::Deserialize)]
+#[serde(rename_all = "snake_case")]
+pub(crate) enum RulesetBypassMode {
+    Always,
+    PullRequest,
+}
+
+#[derive(Clone, Debug, PartialEq, Eq, serde::Serialize, serde::Deserialize)]
+pub(crate) struct RulesetConditions {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub(crate) ref_name: Option<RulesetRefNameCondition>,
+}
+
+#[derive(Clone, Debug, PartialEq, Eq, serde::Serialize, serde::Deserialize)]
+pub(crate) struct RulesetRefNameCondition {
+    pub(crate) include: Vec<String>,
+    pub(crate) exclude: Vec<String>,
+}
+
+#[derive(Clone, Debug, PartialEq, Eq, serde::Serialize, serde::Deserialize)]
+#[serde(tag = "type", rename_all = "snake_case")]
+pub(crate) enum RulesetRule {
+    Creation,
+    Update,
+    Deletion,
+    RequiredLinearHistory,
+    MergeQueue {
+        parameters: MergeQueueParameters,
+    },
+    RequiredDeployments {
+        parameters: RequiredDeploymentsParameters,
+    },
+    RequiredSignatures,
+    PullRequest {
+        parameters: PullRequestParameters,
+    },
+    RequiredStatusChecks {
+        parameters: RequiredStatusChecksParameters,
+    },
+    NonFastForward,
+}
+
+#[derive(Clone, Debug, PartialEq, Eq, serde::Serialize, serde::Deserialize)]
+pub(crate) struct MergeQueueParameters {
+    pub(crate) check_response_timeout_minutes: i32,
+    pub(crate) grouping_strategy: MergeQueueGroupingStrategy,
+    pub(crate) max_entries_to_build: i32,
+    pub(crate) max_entries_to_merge: i32,
+    pub(crate) merge_method: MergeQueueMergeMethod,
+    pub(crate) min_entries_to_merge: i32,
+    pub(crate) min_entries_to_merge_wait_minutes: i32,
+}
+
+#[derive(Clone, Debug, PartialEq, Eq, serde::Serialize, serde::Deserialize)]
+#[serde(rename_all = "SCREAMING_SNAKE_CASE")]
+pub(crate) enum MergeQueueGroupingStrategy {
+    Allgreen,
+    Headgreen,
+}
+
+#[derive(Clone, Debug, PartialEq, Eq, serde::Serialize, serde::Deserialize)]
+#[serde(rename_all = "SCREAMING_SNAKE_CASE")]
+pub(crate) enum MergeQueueMergeMethod {
+    Merge,
+    Squash,
+    Rebase,
+}
+
+#[derive(Clone, Debug, PartialEq, Eq, serde::Serialize, serde::Deserialize)]
+pub(crate) struct RequiredDeploymentsParameters {
+    pub(crate) required_deployment_environments: Vec<String>,
+}
+
+#[derive(Clone, Debug, PartialEq, Eq, serde::Serialize, serde::Deserialize)]
+pub(crate) struct PullRequestParameters {
+    pub(crate) dismiss_stale_reviews_on_push: bool,
+    pub(crate) require_code_owner_review: bool,
+    pub(crate) require_last_push_approval: bool,
+    pub(crate) required_approving_review_count: i32,
+    pub(crate) required_review_thread_resolution: bool,
+}
+
+#[derive(Clone, Debug, PartialEq, Eq, serde::Serialize, serde::Deserialize)]
+pub(crate) struct RequiredStatusChecksParameters {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub(crate) do_not_enforce_on_create: Option<bool>,
+    pub(crate) required_status_checks: Vec<RequiredStatusCheck>,
+    pub(crate) strict_required_status_checks_policy: bool,
+}
+
+#[derive(Clone, Debug, PartialEq, Eq, serde::Serialize, serde::Deserialize)]
+pub(crate) struct RequiredStatusCheck {
+    pub(crate) context: String,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub(crate) integration_id: Option<i64>,
+}
+
+pub(crate) enum RulesetOp {
+    CreateForRepo,
+    UpdateRuleset(i64),
+}

sync-team/src/github/api/read.rs

@@ -1,3 +1,4 @@
+use crate::github::api::Ruleset;
 use crate::github::api::{
     BranchProtection, GraphNode, GraphNodes, GraphPageInfo, HttpClient, Login, Repo, RepoTeam,
     RepoUser, Team, TeamMember, TeamRole, team_node_id, url::GitHubUrl, user_node_id,
@@ -59,6 +60,14 @@ pub(crate) trait GithubRead {
         org: &str,
         repo: &str,
     ) -> anyhow::Result<HashMap<String, Environment>>;
+
+    /// Get rulesets for a repository
+    /// Returns a vector of rulesets
+    fn repo_rulesets(
+        &self,
+        org: &str,
+        repo: &str,
+    ) -> anyhow::Result<Vec<crate::github::api::Ruleset>>;
 }
 
 pub(crate) struct GitHubApiRead {
@@ -536,4 +545,26 @@ impl GithubRead for GitHubApiRead {
             })
             .collect()
     }
+
+    fn repo_rulesets(
+        &self,
+        org: &str,
+        repo: &str,
+    ) -> anyhow::Result<Vec<crate::github::api::Ruleset>> {
+        let mut rulesets: Vec<Ruleset> = Vec::new();
+
+        // REST API endpoint for rulesets
+        // https://docs.github.com/en/rest/repos/rules#get-all-repository-rulesets
+        // The API returns an array of rulesets directly, not wrapped in an object
+        self.client.rest_paginated(
+            &Method::GET,
+            &GitHubUrl::repos(org, repo, "rulesets")?,
+            |resp: Vec<Ruleset>| {
+                rulesets.extend(resp);
+                Ok(())
+            },
+        )?;
+
+        Ok(rulesets)
+    }
 }

sync-team/src/github/api/write.rs

@@ -766,4 +766,53 @@ impl GitHubWrite {
         }
         Ok(())
     }
+
+    /// Create or update a ruleset for a repository
+    pub(crate) fn upsert_ruleset(
+        &self,
+        op: crate::github::api::RulesetOp,
+        org: &str,
+        repo: &str,
+        ruleset: &crate::github::api::Ruleset,
+    ) -> anyhow::Result<()> {
+        use crate::github::api::RulesetOp;
+
+        match op {
+            RulesetOp::CreateForRepo => {
+                debug!("Creating ruleset '{}' in '{}/{}'", ruleset.name, org, repo);
+                if !self.dry_run {
+                    // REST API: POST /repos/{owner}/{repo}/rulesets
+                    // https://docs.github.com/en/rest/repos/rules#create-a-repository-ruleset
+                    let url = GitHubUrl::repos(org, repo, "rulesets")?;
+                    self.client.send(Method::POST, &url, ruleset)?;
+                }
+            }
+            RulesetOp::UpdateRuleset(id) => {
+                debug!(
+                    "Updating ruleset '{}' (id: {}) in '{}/{}'",
+                    ruleset.name, id, org, repo
+                );
+                if !self.dry_run {
+                    // REST API: PUT /repos/{owner}/{repo}/rulesets/{ruleset_id}
+                    // https://docs.github.com/en/rest/repos/rules#update-a-repository-ruleset
+                    let url = GitHubUrl::repos(org, repo, &format!("rulesets/{}", id))?;
+                    self.client.send(Method::PUT, &url, ruleset)?;
+                }
+            }
+        }
+        Ok(())
+    }
+
+    /// Delete a ruleset from a repository
+    pub(crate) fn delete_ruleset(&self, org: &str, repo: &str, id: i64) -> anyhow::Result<()> {
+        debug!("Deleting ruleset id {} from '{}/{}'", id, org, repo);
+        if !self.dry_run {
+            // REST API: DELETE /repos/{owner}/{repo}/rulesets/{ruleset_id}
+            // https://docs.github.com/en/rest/repos/rules#delete-a-repository-ruleset
+            let url = GitHubUrl::repos(org, repo, &format!("rulesets/{}", id))?;
+            self.client
+                .send(Method::DELETE, &url, &serde_json::json!({}))?;
+        }
+        Ok(())
+    }
 }