From bc2e54957581ccf6e3ab1faae05a03646c345630 Mon Sep 17 00:00:00 2001 From: Tri Lam Date: Fri, 15 May 2026 05:38:57 -0700 Subject: [PATCH] [ci] Branch protection: resync require_linear_history + drop required_signatures MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit GitHub Settings → Branches → `main` was flipped in two ways: linear-history re-enabled (after being disabled in PR #28's resolution window), and signed commits dropped. Both source-of-truth files updated to match the live state: - `.github/branch-protection.yml:15`: `require_linear_history: true`, with a comment that names the known cost (squash-merge blocks for branches that absorbed merge commits) and the documented escape hatch (squash-collapse + force-push as a per-PR exception to MEMORY.md `feedback_no_history_rewrites`). - `.github/branch-protection.yml:38`: `require_signed_commits: false`, with a comment that names the actual provenance chain on `main` today (PR-required gate + DCO `Signed-off-by:` trailer + GitHub web-flow auto-signing of every squash-merge commit) and the re-enable trigger (external contributors joining, or an explicit audit binding). - `scripts/apply-branch-protection.sh:44,48`: JSON payload flipped to match, so the next idempotent re-apply preserves the live state rather than reverting. No behavior change on `main` — this commit aligns the documentation to the policy choice already in effect via the GitHub UI. Signed-off-by: Tri Lam --- .github/branch-protection.yml | 33 +++++++++++++++++------------- scripts/apply-branch-protection.sh | 4 ++-- 2 files changed, 21 insertions(+), 16 deletions(-) diff --git a/.github/branch-protection.yml b/.github/branch-protection.yml index 2601afa0..e5621c4b 100644 --- a/.github/branch-protection.yml +++ b/.github/branch-protection.yml @@ -4,19 +4,15 @@ branch: main require_pull_request_before_merge: true -# Repo-level `Allow merge commits: false` (Settings → General → Merge -# button) already makes main's history linear by construction — -# squash and rebase are the only merge methods and both produce a -# linear shape on main. The separate `require_linear_history` rule -# adds nothing on top of that for the main-branch outcome; its only -# distinct effect is to block PRs whose source branches absorbed -# merge commits via legitimate `git merge origin/main` conflict -# resolution. That collides with `feedback_no_history_rewrites` in -# MEMORY.md, which forbids rebasing pushed history — leaving merge -# as the only honest way to bring main into a long-lived PR. -# Re-enable if a future workflow mixes in regular merge-commits -# (e.g. release branches, long-lived integration branches). -require_linear_history: false +# Keeps main's `git log` clean at the squash-merge boundary. Repo-level +# `Allow merge commits: false` (Settings → General) is the load-bearing +# rule; this one is belt-and-suspenders. Known distinct cost: blocks +# squash-merge when the source branch absorbed merge commits via +# `git merge origin/main` conflict resolution. When that bites, the +# escape hatch is to squash-collapse the branch to a single commit +# on top of current main and force-push — a per-PR exception to +# MEMORY.md `feedback_no_history_rewrites` documented in the PR body. +require_linear_history: true allow_force_push: false allow_deletions: false require_conversation_resolution: true @@ -30,7 +26,16 @@ required_approving_review_count: 0 require_codeowners_review: false dismiss_stale_reviews_on_push: true -require_signed_commits: true # see scripts/setup-signing.sh +# GitHub web-flow auto-signs every squash-merge commit (committer: +# `GitHub `), which is the only signature surface +# on `main` under our squash-only merge convention. A personal-key +# signature requirement on top of that added no provenance beyond the +# PR-required-before-merge gate + DCO `Signed-off-by:` trailer + the +# GitHub web-flow signature already in place. Re-enable when external +# contributors join (then key-based signatures distinguish authentic +# contributions) or an audit explicitly binds it. `scripts/setup-signing.sh` +# remains available for contributors who sign by convention. +require_signed_commits: false enforce_admins: true # strict=false means PRs don't need to be physically rebased onto current diff --git a/scripts/apply-branch-protection.sh b/scripts/apply-branch-protection.sh index c1c3f1b7..1f51a0e1 100755 --- a/scripts/apply-branch-protection.sh +++ b/scripts/apply-branch-protection.sh @@ -41,11 +41,11 @@ gh api \ "dismiss_stale_reviews": true }, "restrictions": null, - "required_linear_history": false, + "required_linear_history": true, "allow_force_pushes": false, "allow_deletions": false, "required_conversation_resolution": true, - "required_signatures": true + "required_signatures": false } JSON