[TODO] Update branch protection to require the check job for main and 8.3.x branches
#12554
Comments
webknjaz
added
type: infrastructure
|
Whoever has enough privileges — it's time to do this. The grace period has passed, and any important PRs should have a |
webknjaz
changed the title
check job for main and 8.2.x branchescheck job for main and 8.3.x branches
|
@nicoddemus @RonnyPfannschmidt @Pierre-Sassoulas can anybody with access complete this task? At least, the first 3 points, excluding the bonus one. This should take under 10 minutes. |
|
I'll add it to my morning schedule, thanks for the reminder |
|
branch and tag rules where deprecated and the new ruleset stuff doesn't support regex i created the ruleset require-commit-checks which matches the default branch and all future release branches i configured it so it allows the creation of branches even without check |
|
i update the tag ruleset and refined the commit check ruleset, - im going to drop the old branch rules now |
|
@nicoddemus @webknjaz i completed creating the new rule sets rules and dropped the old branch rules + fixed the tag rule sets - i'd love another set of eyes on those settings to ensure i didn't miss anything |
|
I recently had to drop py38 job and added py313 job in #12874 too. |
|
@Pierre-Sassoulas the new rules use only the check job (which depends on all the others) - so the branch rules are more simple |
|
Thanks @RonnyPfannschmidt for looking into it! I have a few questions about
Other than that everything looks reasonable to me! |
|
I was recently playing with this a lot and settled on having several smaller rules that cover different aspects... @RonnyPfannschmidt I think the wildcards are supported in the base inclusions. But there was also a way separate section in the bottom parts of the rules that literally suports regexes and can be used to refine allowed naming further. Although, that might only be available in the enterprise orgs. But let me double-check... |
It would, if they match the rule. This is one of the reasons I've gone for more granularity elsewhere.. |
|
I don't have repo settings access but wanted to share that rulesets are accessible publicly, which is better than the legacy protections that weren't transparent: https://github.com/pytest-dev/pytest/rules. This also means that I can link to what I've set up elsewhere and you all can see what I've been playing with: Oh, and one of the cool new features is that you can actually export each ruleset as a JSON file and seed the new repos with your battle-tested rules. It's one file per rule, though so some repetition is still needed. You can import them and safe as disabled for further refinement too. Or share those files with others, adding them to multiple repos. |
|
Bear in mind that those rule names are publicly visible (on the web UI, but probably not in the |
|
@RonnyPfannschmidt check if we have that last section in the org:
If not, it might be possible to combine inclusions and exclusions. Also, it is very important to exclude the bot-managed branches from the rule. Otherwise, apps like patchback, pre-commit.ci and dependabot won't be able to create PRs since they operate within the upstream repo. We also need to handle the merge queue branches similarly in case we enable that in the future. |
I checked this in the |
|
@RonnyPfannschmidt I crossed a few TODO list items in the initial post per what you've completed already. I noticed that there's no GH App-provided checks in the rules anymore. Should we keep RTD/pre-commit.ci there? Also, in the top section called I'd still enumerate the known branch exclusions just in case. Here's mine:
|
|
@RonnyPfannschmidt could you look into what's left once more? |
|
@webknjaz i added the suggested bypasses and the enumeration i wonder if we should make that ruleset an export and apply it to all repos where sensible |
|
Yes, that would make sense. I was thinking that the export could be made public in some shared files so people could pick it up on their own. I've been experimenting with this more and the import experience is mostly fine but there's a quirk that it pre-fills the form and doesn't let you save it if it references GitHub Apps or checks that aren't present in the target repo. One has to then figure out which parts to remove to be able to actually save new ruleset. |
|
@RonnyPfannschmidt could you post a screenshot of the added checks like chronographer/rtd/codecov? I don't see these marked in PRs... |
|
I see. I added the bots as bypass not as pr check requirements I'll fix that |
|
Great, thanks! Those are just examples as I don't know what else might've been required in the old branch protection... |
|
i added the checks for codecov, chronographer and rtd we may need to remove codecov again as it seems slightly problematic |
|
@RonnyPfannschmidt Codecov is pretty stable these days. We currently only have the patch variant of it in. It probably needs more configuration, but that's a separate topic. P.S. I'd also add the |
|
@RonnyPfannschmidt would you mind marking |
In #10315 + #12488 + #12517, I added a CI gating job. During the sprints, I suggested that we don't add it as a required check for some while to allow more older PRs to produce this status.
I think the time has come to complete the integration. I'm assigning Ronny because he has enough repo access and we talked through the context in person.
checkin the branch protectionmainand8.3.xThe text was updated successfully, but these errors were encountered: