Skip to content

Add branch protection ruleset as code #1992

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
nicolasnoble wants to merge 1 commit into from
Closed

Add branch protection ruleset as code #1992

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
74 changes: 74 additions & 0 deletions .github/rulesets/main.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
{
"name": "main branch protection",
"target": "branch",
"enforcement": "active",
"conditions": {
"ref_name": {
"include": ["~DEFAULT_BRANCH"],
"exclude": []
}
},
"rules": [
{
"type": "deletion"
},
{
"type": "non_fast_forward"
},
{
"type": "pull_request",
"parameters": {
"required_approving_review_count": 1,
"dismiss_stale_reviews_on_push": true,
"require_code_owner_review": false,
"require_last_push_approval": false,
"required_review_thread_resolution": false
}
},
{
"type": "required_status_checks",
"parameters": {
"required_status_checks": [
{
"context": "pcsx-redux Windows build",
"integration_id": 9426
},
{
"context": "pcsx-redux Bios build",
"integration_id": 9426
},
{
"context": "pcsx-redux Windows CLI build",
"integration_id": 9426
},
{
"context": "build-openbios",
"integration_id": 15368
},
{
"context": "build",
"integration_id": 15368
},
{
"context": "coverage",
"integration_id": 15368
},
{
"context": "cross-arm64",
"integration_id": 15368
},
{
"context": "asan",
"integration_id": 15368
},
Comment on lines +44 to +63
Copy link
Contributor

@coderabbitai coderabbitai bot Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Extract workflow names and job IDs to determine correct status check contexts

echo "=== GitHub Actions Workflows and Jobs ==="
echo

for workflow in .github/workflows/*.yml .github/workflows/*.yaml; do
  if [ -f "$workflow" ]; then
    echo "File: $workflow"
    echo -n "  Workflow name: "
    gawk '/^name:/ {gsub(/^name: */, ""); gsub(/"/, ""); print; exit}' "$workflow"
    echo "  Job IDs:"
    gawk '/^jobs:/,/^[^ ]/ {if ($0 ~ /^  [a-zA-Z0-9_-]+:$/) {gsub(/:/, ""); gsub(/^  /, ""); print "    - " $0}}' "$workflow"
    echo
  fi
done

Repository: grumpycoders/pcsx-redux

Length of output: 1043

🏁 Script executed:

#!/bin/bash
# Extract job definitions from workflow files more reliably

echo "=== Job Extraction from Workflows ==="
echo

for workflow in .github/workflows/macos-build.yml .github/workflows/linux-build.yml .github/workflows/linux-coverage.yml .github/workflows/linux-asan.yml .github/workflows/linux-cross.yml .github/workflows/linux-toolchain.yml; do
  if [ -f "$workflow" ]; then
    echo "File: $(basename $workflow)"
    echo -n "  Workflow name: "
    grep "^name:" "$workflow" | head -1 | sed 's/^name: *//; s/"//g'
    echo "  Jobs:"
    # Use a more robust approach: find job IDs and check for explicit 'name:' fields
    python3 << 'PYSCRIPT'
import sys
import re

workflow = sys.argv[1]
with open(workflow) as f:
    content = f.read()

# Parse YAML-like structure
lines = content.split('\n')
in_jobs = False
current_job = None

for i, line in enumerate(lines):
    if line.startswith('jobs:'):
        in_jobs = True
        continue
    
    if in_jobs and line and not line[0].isspace():
        break
    
    if in_jobs and re.match(r'^  [a-zA-Z0-9_-]+:', line):
        current_job = line.strip().rstrip(':')
        job_name = None
        # Look ahead for explicit 'name:' field
        for j in range(i+1, min(i+10, len(lines))):
            if re.match(r'^    name:', lines[j]):
                job_name = lines[j].split('name:')[1].strip().strip("'\"")
                break
            if re.match(r'^  [a-zA-Z0-9_-]+:', lines[j]):
                break
        
        if job_name:
            print(f"    - {current_job} (name: {job_name})")
        else:
            print(f"    - {current_job}")

PYSCRIPT
  fi
done

Repository: grumpycoders/pcsx-redux

Length of output: 1148

🏁 Script executed:

cat -n .github/rulesets/main.json | grep -A 2 -B 2 '"context"'

Repository: grumpycoders/pcsx-redux

Length of output: 1273

🏁 Script executed:

echo "=== macos-build.yml jobs ===" && sed -n '/^jobs:/,/^[^ ]/p' .github/workflows/macos-build.yml | head -20
echo ""
echo "=== linux-build.yml jobs ===" && sed -n '/^jobs:/,/^[^ ]/p' .github/workflows/linux-build.yml | head -20
echo ""
echo "=== linux-coverage.yml jobs ===" && sed -n '/^jobs:/,/^[^ ]/p' .github/workflows/linux-coverage.yml | head -20
echo ""
echo "=== linux-asan.yml jobs ===" && sed -n '/^jobs:/,/^[^ ]/p' .github/workflows/linux-asan.yml | head -20
echo ""
echo "=== linux-cross.yml jobs ===" && sed -n '/^jobs:/,/^[^ ]/p' .github/workflows/linux-cross.yml | head -20
echo ""
echo "=== linux-toolchain.yml jobs ===" && sed -n '/^jobs:/,/^[^ ]/p' .github/workflows/linux-toolchain.yml | head -20

Repository: grumpycoders/pcsx-redux

Length of output: 4057

🏁 Script executed:

for workflow in .github/workflows/macos-build.yml .github/workflows/linux-build.yml .github/workflows/linux-coverage.yml .github/workflows/linux-asan.yml .github/workflows/linux-cross.yml .github/workflows/linux-toolchain.yml; do
  echo "=== $(basename $workflow) ===" 
  # Extract job section and check for 'name:' fields at job level (4 spaces indent)
  sed -n '/^jobs:/,/^[^ ]/p' "$workflow" | grep -E "^  [a-zA-Z0-9_-]+:|^    name:" | head -10
  echo ""
done

Repository: grumpycoders/pcsx-redux

Length of output: 395

🏁 Script executed:

# Check if there's any Windows build workflow in GitHub Actions
ls -la .github/workflows/ | grep -i windows
echo ""
echo "Windows build checks in ruleset:"
grep -B 1 -A 1 '"integration_id": 9426' .github/rulesets/main.json

Repository: grumpycoders/pcsx-redux

Length of output: 404

🏁 Script executed:

# Verify the exact behavior by checking GitHub Actions documentation
# Also double-check if any of the jobs have name: fields deeper in their definitions
for job_section in "build-openbios" "build" "coverage" "asan" "cross-arm64" "toolchain"; do
  echo "=== Checking for 'name:' in job definitions ==="
  grep -n "name:" .github/workflows/*.yml | grep -i "$job_section" | head -5
done

Repository: grumpycoders/pcsx-redux

Length of output: 1474

🏁 Script executed:

# Check macos-build.yml for build-openbios job definition
echo "=== macos-build.yml: build-openbios job ===" 
sed -n '/^  build-openbios:/,/^  [a-z]/p' .github/workflows/macos-build.yml | head -20

echo ""
echo "=== linux-build.yml: build job ===" 
sed -n '/^  build:/,/^  [a-z]/p' .github/workflows/linux-build.yml | head -20

echo ""
echo "=== linux-coverage.yml: coverage job ===" 
sed -n '/^  coverage:/,/^  [a-z]/p' .github/workflows/linux-coverage.yml | head -20

Repository: grumpycoders/pcsx-redux

Length of output: 2126

Critical: Status check names won't match GitHub Actions reporting.

The status check context names for GitHub Actions jobs (integration_id 15368) don't match how GitHub actually reports them. When a workflow job has no explicit name: field, GitHub reports the check as "workflow-name / job-id", not just "job-id".

Based on the workflow configurations:

  • Line 45: "build-openbios" should be "macOS CI / build-openbios"
  • Line 49: "build" should be "Linux CI / build"
  • Line 53: "coverage" should be "Linux CI coverage / coverage"
  • Line 57: "cross-arm64" should be "Linux CI cross / cross-arm64"
  • Line 61: "asan" should be "Linux CI asan / asan"
  • Line 65: "toolchain" should be "Linux CI toolchain / toolchain"

Without correction, these required checks will never pass and PRs will be permanently blocked from merging.

🔧 Proposed fix 
         {
-          "context": "build-openbios",
+          "context": "macOS CI / build-openbios",
           "integration_id": 15368
         },
         {
-          "context": "build",
+          "context": "Linux CI / build",
           "integration_id": 15368
         },
         {
-          "context": "coverage",
+          "context": "Linux CI coverage / coverage",
           "integration_id": 15368
         },
         {
-          "context": "cross-arm64",
+          "context": "Linux CI cross / cross-arm64",
           "integration_id": 15368
         },
         {
-          "context": "asan",
+          "context": "Linux CI asan / asan",
           "integration_id": 15368
         },
         {
-          "context": "toolchain",
+          "context": "Linux CI toolchain / toolchain",
           "integration_id": 15368
         }
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/rulesets/main.json around lines 44 - 63, Update the status check
context strings to match GitHub Actions' reported names so the required checks
map to actual workflow job names: replace "build-openbios" with "macOS CI /
build-openbios", "build" with "Linux CI / build", "coverage" with "Linux CI
coverage / coverage", "cross-arm64" with "Linux CI cross / cross-arm64", "asan"
with "Linux CI asan / asan", and "toolchain" with "Linux CI toolchain /
toolchain" for the entries that share integration_id 15368 so the contexts match
the workflow "workflow-name / job-id" format and allow the checks to pass.

{
"context": "toolchain",
"integration_id": 15368
}
],
"strict_required_status_checks_policy": false,
"do_not_enforce_on_create": false
}
}
]
}
Loading