Use new "rulesets" for branch protection instead of "classic branch protections" in all repos

[wolfgangwalther]

There are two kinds of branch protection configuration we can use:

• The classic branch protection under "Branches" in the menu
• The new rulesets under "Rules / Rulesets"

Currently, nixpkgs and probably most repos in the org, are using the classic branch protection rules. However, the new rulesets have multiple advantages:

• They are transparent for regular users as noted by @infinisil in Introduce github-mgmt repository #99 (comment). Being able to look at the rule as a non-owner, allows to make much better suggestions for changes (for example for Delete merged branches in nixpkgs automatically #116, nixpkgs branch protection rules: prevent creation of new branches! #118, nixpkgs branch protection rules: dismiss stale pull request approvals #119).
• Rulesets can be exported/imported as JSON. This allows much better collaboration on them, even without RFC: Manage the org programatically #40 for settings / rulesets. I could recreate the rule in my fork, make the changes I'm proposing, and export them as JSON. Those could even be reviewed as a diff and then imported.
• Rulesets are much more flexible, especially in terms of which branches to target (supporting exclusions, too). This is required for nixpkgs branch protection rules: prevent creation of new branches! #118 for example.

We currently have 56 non-archived repos in the org. I briefly went through a random subset: A lot of repos don't have any branch protection (basic branch protection to prevent force pushes for the main branch should probably be added in most of them?) and I assume that many others only have very basic rules. My suggestion on how to approach this:

• Define a very simple, sensible default, for example (target: default branch, restrict deletion, block force pushes) and import this to all repos without protection.
• Import the same to those repos with matching classic rules right now.
• Deal with the rest manually.

I'm especially interested in the branch protection rules for nixpkgs, of course. As a starter, I could prepare a JSON export of the current configuration... iff an org owner / nixpkgs admin could provide screenshots of the current classic configuration...

Once we got this, I could then make much more specific suggestions for #116 and #118 (#119 is already very specific).

[infinisil]

Sounds good to me!

Here's screenshots of all current Nixpkgs branch protections: https://gist.github.com/infinisil/33fdbb637e719a9ebeb46010b4761861

[wolfgangwalther]

One low-hanging fruit: The branch protection rule "main" doesn't affect any branches and can be deleted. Edit: Although.. maybe the intent is to prevent creation of this branch, in which case it makes sense.

[wolfgangwalther]

To make review easier, I opened a PR for the to-be-imported json files: #124.

[wolfgangwalther]

Define a very simple, sensible default, for example (target: default branch, restrict deletion, block force pushes) and import this to all repos without protection.

I looked into this, and it's also possible to create a default rule on the organization level. In the test organization, it says:

Organization rulesets won't be enforced until you upgrade this organization account to GitHub Team.

Do we have "Team" or more status with the NixOS org / are organization-level rulesets possible for us? @infinisil

[wolfgangwalther]

Organization rulesets won't be enforced until you upgrade this organization account to GitHub Team.

Do we have "Team" or more status with the NixOS org / are organization-level rulesets possible for us?

Ping @infinisil - could you check whether we could use organization rulesets in principle?

[infinisil]

I can confirm that it appears that we can indeed create organisation rulesets! (sorry for the slow reply!)

[wolfgangwalther]

The default branch protection ruleset has been implemented org-wide. Everything else is up to the maintainers of the respective repos.