(commons-parent) 01/01: Add GitHub Rulesets via `.asf.yaml`

Tue, 12 May 2026 14:54:40 -0700 

This is an automated email from the ASF dual-hosted git repository.

ppkarwasz pushed a commit to branch feat/rulesets
in repository https://gitbox.apache.org/repos/asf/commons-parent.git

commit e929ebe4ffc90cf0594ec8256358acd9ee921477
Author: Piotr P. Karwasz <[email protected]>
AuthorDate: Tue May 12 23:51:01 2026 +0200

    Add GitHub Rulesets via `.asf.yaml`
    
    Configure a minimal Ruleset to:
    
    - Prevent deletion and force-push on the default (`master`) branch and the 
`release` branch.
    - Prevent deletion, force-push, or update of any `rel/*` tag.
    
    Together, these rules satisfy the Tier 1 protection level defined by 
[Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection)
 and should allow for [SLSA Source 
L3](https://slsa.dev/spec/v1.2/source-requirements#source-l3) compliance, once 
we introduce a workflow to push provenance attestation at each commit.
---
 .asf.yaml | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/.asf.yaml b/.asf.yaml
index ac7409d..3ae43cd 100644
--- a/.asf.yaml
+++ b/.asf.yaml
@@ -13,6 +13,13 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+#
+# Additional non-standard features
+#
+meta:
+  environments:
+    - github_rulesets
+
 github:
   description: "Apache Commons Parent"
   homepage: https://commons.apache.org/parent/
@@ -28,3 +35,29 @@ notifications:
     pullrequests_bot_dependabot: [email protected]
     issues_bot_codecov-commenter: [email protected]
     pullrequests_bot_codecov-commenter: [email protected]
+
+  # Clear Protected Branches configuration: it is replaced by GitHub Rulesets
+    protected_branches: ~
+
+    rulesets:
+      # Use minimum level of protection: restrict deletion and force pushes.
+      - name: "Branch protection"
+        type: branch
+        branches:
+          includes:
+            - "~DEFAULT_BRANCH"
+            - "release"
+      # Use raw rules, until a convenience notation for `restrict_update` is 
introduced.
+      # See: https://github.com/apache/infrastructure-asfyaml/issues/96
+      #
+      # The raw rules need to follow the syntax given in:
+      # 
https://docs.github.com/en/rest/repos/rules?apiVersion=2026-03-10#update-a-repository-ruleset
+      - name: "Tag protection"
+        type: tag
+        branches:
+          includes:
+            - "rel/*"
+        rules:
+          - type: deletion
+          - type: non_fast_forward
+          - type: update

Reply via email to