Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 19 additions & 14 deletions .github/branch-protection.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,19 +4,15 @@
branch: main

require_pull_request_before_merge: true
# Repo-level `Allow merge commits: false` (Settings → General → Merge
# button) already makes main's history linear by construction —
# squash and rebase are the only merge methods and both produce a
# linear shape on main. The separate `require_linear_history` rule
# adds nothing on top of that for the main-branch outcome; its only
# distinct effect is to block PRs whose source branches absorbed
# merge commits via legitimate `git merge origin/main` conflict
# resolution. That collides with `feedback_no_history_rewrites` in
# MEMORY.md, which forbids rebasing pushed history — leaving merge
# as the only honest way to bring main into a long-lived PR.
# Re-enable if a future workflow mixes in regular merge-commits
# (e.g. release branches, long-lived integration branches).
require_linear_history: false
# Keeps main's `git log` clean at the squash-merge boundary. Repo-level
# `Allow merge commits: false` (Settings → General) is the load-bearing
# rule; this one is belt-and-suspenders. Known distinct cost: blocks
# squash-merge when the source branch absorbed merge commits via
# `git merge origin/main` conflict resolution. When that bites, the
# escape hatch is to squash-collapse the branch to a single commit
# on top of current main and force-push — a per-PR exception to
# MEMORY.md `feedback_no_history_rewrites` documented in the PR body.
require_linear_history: true
allow_force_push: false
allow_deletions: false
require_conversation_resolution: true
Expand All @@ -30,7 +26,16 @@ required_approving_review_count: 0
require_codeowners_review: false
dismiss_stale_reviews_on_push: true

require_signed_commits: true # see scripts/setup-signing.sh
# GitHub web-flow auto-signs every squash-merge commit (committer:
# `GitHub <noreply@github.com>`), which is the only signature surface
# on `main` under our squash-only merge convention. A personal-key
# signature requirement on top of that added no provenance beyond the
# PR-required-before-merge gate + DCO `Signed-off-by:` trailer + the
# GitHub web-flow signature already in place. Re-enable when external
# contributors join (then key-based signatures distinguish authentic
# contributions) or an audit explicitly binds it. `scripts/setup-signing.sh`
# remains available for contributors who sign by convention.
require_signed_commits: false
enforce_admins: true

# strict=false means PRs don't need to be physically rebased onto current
Expand Down
4 changes: 2 additions & 2 deletions scripts/apply-branch-protection.sh
Original file line number Diff line number Diff line change
Expand Up @@ -41,11 +41,11 @@ gh api \
"dismiss_stale_reviews": true
},
"restrictions": null,
"required_linear_history": false,
"required_linear_history": true,
"allow_force_pushes": false,
"allow_deletions": false,
"required_conversation_resolution": true,
"required_signatures": true
"required_signatures": false
}
JSON

Expand Down