Ruleset
You can create rules on your repositories:
- repository branch protection
- ruleset branch protection
- or organization wide ruleset
This page is about organization wide ruleset. Usually it is done by the Security/IT team
Create Organization Ruleset
You can create a ruleset file in the /rulesets directory, like /rulesets/default.yaml:
apiVersion: v1
kind: Ruleset
name: default
spec:
repositories:
included:
- ~ALL
# except:
# - foo
# - bar.*
ruleset:
enforcement: evaluate # can be disable, active or evaluate
bypassapps:
- appname: goliac-project-app
mode: always # can be always or pull_request
# bypassteams:
# - teamname: GoldenReviewers
# mode: pull_request # can be always or pull_request
conditions:
include:
- "~DEFAULT_BRANCH" # it can be ~ALL,~DEFAULT_BRANCH, or branch name
# - 1.*
# exclude:
# - another_branch
rules:
- ruletype: pull_request # currently supported: pull_request, required_signatures,required_status_checks, creation, update, deletion, non_fast_forward, required_linear_history
parameters:
requiredApprovingReviewCount: 1- update the
/goliac.yamlfile to include the new organization ruleset:
...
rulesets:
- default- the name (here
default), is the name of the file in the/rulesetsdirectory
Repositories section
You can define which repositories will be impacted (using regular expressions) with the included and except:
repositories:
included:
# - ~ALL
- .*
# - prefix-.*
except:
- foo
- bar.*Bypass section
You can define a application to be able to bypass the above rules:
ruleset:
bypassapps:
- appname: goliac-project-app
mode: always # always, pull_requestor you can define a team that can bypass, like a "golden reviewer" team:
ruleset:
bypassapps:
- appname: alayacare-goliac # the name of your Github App
mode: always
bypassteams:
- teamname: GoldenReviewers
mode: pull_request # it can be always or pull_requestRule section
Few rules are currently supported (but the software can be easily extended): pull_request, required_signatures, required_status_checks, creation, update, deletion, required_linear_history, branch_name_pattern, tag_name_pattern
pull_request
Require all commits be made to a non-target branch and submitted via a pull request before they can be merged
ruleset:
rules:
- ruletype: pull_request
parameters:
# dismissStaleReviewsOnPush: false
# requireCodeOwnerReview: false
requiredApprovingReviewCount: 1
# requiredReviewThreadResolution: false
# requireLastPushApproval: falserequired_signatures
Require signed commits: Commits pushed to matching refs must have verified signatures
ruleset:
rules:
- ruletype: required_signaturesrequired_status_checks
Choose which status checks must pass before the ref is updated. When enabled, commits must first be pushed to another ref where the checks pass
ruleset:
rules:
- ruletype: required_status_checks
parameters:
requiredStatusChecks:
- nameofYourStatusCheck
# strictRequiredStatusChecksPolicy: falsecreation
Restrict creations: only allow users with bypass permission to create matching refs
ruleset:
rules:
- ruletype: creationupdate
Restrict updates: Only allow users with bypass permission to update matching refs
ruleset:
rules:
- ruletype: updatedeletion
Restrict deletions: Only allow users with bypass permissions to delete matching refs
ruleset:
rules:
- ruletype: deletionrequired_linear_history
Require linear history: Prevent merge commits from being pushed to matching refs
ruleset:
rules:
- ruletype: required_linear_historybranch_name_pattern
ruleset:
rules:
- ruletype: branch_name_pattern
parameters:
# name: human name
# negate: true
operator: start_with # can be [starts_with, ends_with, contains, regex]
pattern: patchtag_name_pattern
ruleset:
rules:
- ruletype: tag_name_pattern
parameters:
# name: human name
# negate: true
operator: start_with # can be [starts_with, ends_with, contains, regex]
pattern: patch