diff --git a/.github/branch-protection.yml b/.github/branch-protection.yml index 2601afa0..e5621c4b 100644 --- a/.github/branch-protection.yml +++ b/.github/branch-protection.yml @@ -4,19 +4,15 @@ branch: main require_pull_request_before_merge: true -# Repo-level `Allow merge commits: false` (Settings → General → Merge -# button) already makes main's history linear by construction — -# squash and rebase are the only merge methods and both produce a -# linear shape on main. The separate `require_linear_history` rule -# adds nothing on top of that for the main-branch outcome; its only -# distinct effect is to block PRs whose source branches absorbed -# merge commits via legitimate `git merge origin/main` conflict -# resolution. That collides with `feedback_no_history_rewrites` in -# MEMORY.md, which forbids rebasing pushed history — leaving merge -# as the only honest way to bring main into a long-lived PR. -# Re-enable if a future workflow mixes in regular merge-commits -# (e.g. release branches, long-lived integration branches). -require_linear_history: false +# Keeps main's `git log` clean at the squash-merge boundary. Repo-level +# `Allow merge commits: false` (Settings → General) is the load-bearing +# rule; this one is belt-and-suspenders. Known distinct cost: blocks +# squash-merge when the source branch absorbed merge commits via +# `git merge origin/main` conflict resolution. When that bites, the +# escape hatch is to squash-collapse the branch to a single commit +# on top of current main and force-push — a per-PR exception to +# MEMORY.md `feedback_no_history_rewrites` documented in the PR body. +require_linear_history: true allow_force_push: false allow_deletions: false require_conversation_resolution: true @@ -30,7 +26,16 @@ required_approving_review_count: 0 require_codeowners_review: false dismiss_stale_reviews_on_push: true -require_signed_commits: true # see scripts/setup-signing.sh +# GitHub web-flow auto-signs every squash-merge commit (committer: +# `GitHub `), which is the only signature surface +# on `main` under our squash-only merge convention. A personal-key +# signature requirement on top of that added no provenance beyond the +# PR-required-before-merge gate + DCO `Signed-off-by:` trailer + the +# GitHub web-flow signature already in place. Re-enable when external +# contributors join (then key-based signatures distinguish authentic +# contributions) or an audit explicitly binds it. `scripts/setup-signing.sh` +# remains available for contributors who sign by convention. +require_signed_commits: false enforce_admins: true # strict=false means PRs don't need to be physically rebased onto current diff --git a/scripts/apply-branch-protection.sh b/scripts/apply-branch-protection.sh index c1c3f1b7..1f51a0e1 100755 --- a/scripts/apply-branch-protection.sh +++ b/scripts/apply-branch-protection.sh @@ -41,11 +41,11 @@ gh api \ "dismiss_stale_reviews": true }, "restrictions": null, - "required_linear_history": false, + "required_linear_history": true, "allow_force_pushes": false, "allow_deletions": false, "required_conversation_resolution": true, - "required_signatures": true + "required_signatures": false } JSON