Branch Protection Settings and Issues
Overview
As part of the MoJ GitHub repository standards it has been decided that certain Branch Protection settings should be enabled to create a safer environment on GitHub.
See the Standards.
A repository that does not have the minimum Branch Protection settings will be non-compliant and an issue against the repository will be created per non enabled Branch Protection setting (Currently disabled).
See the github-repository-standards repository.
The non-compliant repositories and created issues are recorded within the Operations Engineering Reports report, which is updated on a daily basis. It is generated by the operations-engineering-reports repository.
Minimum Branch Protection Settings
The minimum Branch Protection settings for a repository are listed on github-repository-standards repository.
GH GraphQL Query
Below is some of the Branch Protection rules within GH that can be obtained from a GraphQL query. The comment on each line maps the the Branch Protection rule to the Branch Protection setting within the GH repository settings UI.
“‘ { repository(name: "repo-name”, owner: “ministryofjustice”) { branchProtectionRules(first: 100) { edges { node { dismissesStaleReviews # Dismiss stale pull request approvals when new commits are pushed isAdminEnforced # Include administrators pattern # Should be set to main requiredApprovingReviewCount # Require approvals > 0 requiredStatusCheckContexts # Would apply to a .yml file I believe ie “terraform-plan” requiresApprovingReviews # Require a pull request before merging requiresCodeOwnerReviews # Require review from Code Owners requiresCommitSignatures # Require signed commits requiresConversationResolution # Require conversation resolution before merging requiresLinearHistory # Require linear history requiresStrictStatusChecks # Require branches to be up to date before merging requiresStatusChecks # Require status checks to pass before merging } } } } } “’
How to implement a Branch Protection setting in Code
Two repositories are required to implement a Branch Protection check, raise an issue and add the details to the report. These are the github-repository-standards repository and the Operations Engineering Reports repository.
The github-repository-standards repository contains the check and raises the issue on the repository (currently disabled).
The Operations Engineering Reports repository receives encrypted json data from github-repository-standards repository to display on report site.
The github-repository-standards repository Branch Protection check and raise issue against a repository are implemented using Ruby. A python script encrypts the json data and sends it to the report website. The report website decrypts the json data. The files to look at are:
Note: Check the contents of the .json file after the script has completed to ensure the expected Branch Protection results are generated correctly.
Note: The json result data is passed between the two repositories therefore the variable/s names used in both repositories must match when either writing or reading the json data.
Note: Either on a branch or after the modifications have been merged onto the main branch the operations-engineering-reports report can be run manually on the CI Continuous Deployment to see the modifications within the report quicker rather than waiting for the scheduled report to occur.