Skip to content

feat(just): Add repository branch protection justfile entries #27

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
aRustyDev merged 10 commits into from
Dec 7, 2025
Merged

feat(just): Add repository branch protection justfile entries #27

aRustyDev merged 10 commits into from
Dec 7, 2025

Conversation

@aRustyDev
Copy link
Owner

@aRustyDev aRustyDev commented Dec 5, 2025
edited
Loading

Summary

This PR adds justfile entries for protecting GitHub repositories using branch rulesets, and refactors the entire justfile to use just built-in functions and a global target_repo variable.

Changes

New Features

  • Branch Protection Recipes: New justfile recipes for managing repository branch protection:

    • protect-repo [repo] - Apply all branch protection rulesets
    • apply-ruleset [repo] <file> - Apply a single ruleset from JSON file
    • unprotect-repo [repo] - Remove all rulesets
    • list-rulesets [repo] - List all rulesets for a repository

  • Initialization System:

    • init - Interactive first-time setup that sets target_repo
    • set-target <repo> - Non-interactive way to change target repository
    • Self-modifying justfile to persist the target repository

New Files

  • .github/rulesets/main-branch-protection.json - Ruleset configuration for main branch
  • .github/rulesets/integration-branch-protection.json - Ruleset configuration for integration branch
  • .ai/docs/strategies/protect-github-repo.md - Strategy documentation

Refactoring

  • Built-in Functions: Replaced shell patterns with just built-ins:

    • justfile_directory() instead of $(dirname "$0")
    • justfile() for self-modification
    • path_exists() for file/directory validation
    • error() for clean error handling

  • Global Variables:

    • Added target_repo - set via init or override per-command
    • Added justfile_dir, labels_file, rulesets_dir, bundles_dir path variables

  • Validation Helpers:

    • _require-repo - Ensures repo parameter is set
    • _require-file - Ensures file exists
    • _require-dir - Ensures directory exists

  • Code Cleanup:

    • Removed redundant echo "" statements
    • Removed unnecessary shell variable assignments
    • Marked internal recipes with [private]
    • Simplified heredocs to inline strings

Protection Rules Applied

Main Branch

  • ❌ Direct pushes blocked
  • ❌ Force pushes blocked
  • ❌ Branch deletion blocked
  • ✅ Requires 1 PR review
  • ✅ Dismisses stale reviews
  • ✅ Requires conversation resolution
  • ✅ Requires linear history

Integration Branch

  • ❌ Direct pushes blocked
  • ❌ Force pushes blocked
  • ❌ Branch deletion blocked
  • ✅ Requires 1 PR review
  • ✅ Dismisses stale reviews
  • ✅ Requires conversation resolution

Usage

# First-time setup
just init

# After init, no need to specify repo
just protect-repo
just list-rulesets
just sync-labels

# Or override the default
just protect-repo other-owner/other-repo

# Apply a custom ruleset
just apply-ruleset path/to/custom-ruleset.json

Commits

  1. feat(just): Adding justfile entries for protecting repository
  2. docs(just): Documenting justfile entries for protecting repository
  3. refactor(just): Use built-in functions, add init recipe, and target_repo default

@aRustyDev aRustyDev force-pushed the pr/just-protect-repo branch from 79081a0 to dd6e9d8 Compare December 5, 2025 21:44
@aRustyDev
refactor(just): Use built-in functions, add init recipe, and target_r…
25ec5b1 
…epo default

- Add `init` recipe for interactive first-time setup
- Add `set-target` recipe for non-interactive target_repo changes
- Add `target_repo` global variable as default for all repo parameters
- Replace shell `$(dirname "$0")` with `justfile_directory()`
- Replace shell path checks with `path_exists()`
- Add `_require-repo`, `_require-file`, `_require-dir` validation helpers
- Remove redundant `echo ""` statements throughout
- Remove unnecessary shell variable assignments (use just params directly)
- Mark internal recipes with `[private]` attribute
- Simplify heredocs to inline strings for just compatibility
@aRustyDev
feat(templates): adding handlebar templates for CODEOWNERS, SECURITY,…
f537747 
… & CONTRIBUTING
@aRustyDev
docs(todo): adding todo items for ruleset extensions
05f741a
@aRustyDev
feat(rulesets): split branch protection for granular bypass control
00f6470 
Split branch protection rulesets into two categories:
- Core protection (no bypass): deletion, force-push, linear history
- PR reviews (with bypass): review requirements for aRustyDev

This enables the user aRustyDev to bypass the required_approving_review_count
rule while still being subject to all core branch protections.

New files:
- .github/rulesets/main-pr-reviews.json
- .github/rulesets/integration-pr-reviews.json

Modified:
- .github/rulesets/main-branch-protection.json (removed PR rules)
- .github/rulesets/integration-branch-protection.json (removed PR rules)
- .ai/docs/strategies/protect-github-repo.md (updated documentation)
@aRustyDev
fix(rulesets): use RepositoryRole instead of User for bypass actors
219b002 
GitHub repository-level rulesets do not support "User" as an actor_type.
Valid types are: Integration, OrganizationAdmin, RepositoryRole, Team, DeployKey.

Changed bypass_actors to use:
- actor_type: "RepositoryRole"
- actor_id: 5 (Repository Admin/Owner role)

This allows repository admins to bypass PR review requirements while
still being subject to core branch protections.
@aRustyDev
fix(just): suppress pager output in apply-ruleset recipe
0b0636c 
Added --silent flag to gh api commands to prevent the JSON response
from being piped through a pager (vim/less), allowing the recipe to
run non-interactively.
@aRustyDev
chore(just): removing target_repo
40c9e74
@aRustyDev
docs(todo): adding todo items for ruleset extensions
b95c661
@aRustyDev aRustyDev merged commit c39116b into integration Dec 7, 2025
2 checks passed
@github-project-automation github-project-automation bot moved this from Todo to Done in MCP Server Development Dec 7, 2025
@aRustyDev aRustyDev deleted the pr/just-protect-repo branch December 7, 2025 13:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

MCP Server Development
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aRustyDev