oib/aitbc
1
0
Fork 0
Code Issues Pull Requests Actions 8 Packages Projects Releases Wiki Activity
Files
ec6f4c247dcd00ac5297eaedbf0500a30bd2c5c9
aitbc/docs/policies/BRANCH_PROTECTION.md
AITBC System b033923756 chore: normalize file permissions across repository 
- Remove executable permissions from configuration files (.editorconfig, .env.example, .gitignore)
- Remove executable permissions from documentation files (README.md, LICENSE, SECURITY.md)
- Remove executable permissions from web assets (HTML, CSS, JS files)
- Remove executable permissions from data files (JSON, SQL, YAML, requirements.txt)
- Remove executable permissions from source code files across all apps
- Add executable permissions to Python
2026-03-08 11:26:18 +01:00

392 lines
11 KiB
Markdown
Raw Blame History

# Branch Protection Configuration Guide
## Overview
This document outlines the recommended branch protection settings for the AITBC repository to ensure code quality, security, and collaboration standards.
## GitHub Branch Protection Settings
### Main Branch Protection
Navigate to: `Settings > Branches > Branch protection rules`
#### Create Protection Rule for `main`
**Branch name pattern**: `main`
**Require status checks to pass before merging**
- ✅ Require branches to be up to date before merging
- ✅ Require status checks to pass before merging
**Required status checks**
- ✅ Lint (ruff)
- ✅ Check .env.example drift
- ✅ Test (pytest)
- ✅ contracts-ci / Lint
- ✅ contracts-ci / Slither Analysis
- ✅ contracts-ci / Compile
- ✅ contracts-ci / Test
- ✅ dotenv-check / dotenv-validation
- ✅ dotenv-check / dotenv-security
- ✅ security-scanning / bandit
- ✅ security-scanning / codeql
- ✅ security-scanning / safety
- ✅ security-scanning / trivy
- ✅ security-scanning / ossf-scorecard
**Require pull request reviews before merging**
- ✅ Require approvals
- **Required approving reviews**: 2
- ✅ Dismiss stale PR approvals when new commits are pushed
- ✅ Require review from CODEOWNERS
- ✅ Require review from users with write access in the target repository
- ✅ Limit the number of approvals required (2) - **Do not allow users with write access to approve their own pull requests**
**Restrict pushes**
- ✅ Limit pushes to users who have write access in the repository
- ✅ Do not allow force pushes
**Restrict deletions**
- ✅ Do not allow users with write access to delete matching branches
**Require signed commits**
- ✅ Require signed commits (optional, for enhanced security)
### Develop Branch Protection
**Branch name pattern**: `develop`
**Settings** (same as main, but with fewer required checks):
- Require status checks to pass before merging
- Required status checks: Lint, Test, Check .env.example drift
- Require pull request reviews before merging (1 approval)
- Limit pushes to users with write access
- Do not allow force pushes
## Required Status Checks Configuration
### Continuous Integration Checks
| Status Check | Description | Workflow |
|-------------|-------------|----------|
| `Lint (ruff)` | Python code linting | `.github/workflows/ci.yml` |
| `Check .env.example drift` | Configuration drift detection | `.github/workflows/ci.yml` |
| `Test (pytest)` | Python unit tests | `.github/workflows/ci.yml` |
| `contracts-ci / Lint` | Solidity linting | `.github/workflows/contracts-ci.yml` |
| `contracts-ci / Slither Analysis` | Solidity security analysis | `.github/workflows/contracts-ci.yml` |
| `contracts-ci / Compile` | Smart contract compilation | `.github/workflows/contracts-ci.yml` |
| `contracts-ci / Test` | Smart contract tests | `.github/workflows/contracts-ci.yml` |
| `dotenv-check / dotenv-validation` | .env.example format validation | `.github/workflows/dotenv-check.yml` |
| `dotenv-check / dotenv-security` | .env.example security check | `.github/workflows/dotenv-check.yml` |
| `security-scanning / bandit` | Python security scanning | `.github/workflows/security-scanning.yml` |
| `security-scanning / codeql` | CodeQL analysis | `.github/workflows/security-scanning.yml` |
| `security-scanning / safety` | Dependency vulnerability scan | `.github/workflows/security-scanning.yml` |
| `security-scanning / trivy` | Container security scan | `.github/workflows/security-scanning.yml` |
| `security-scanning / ossf-scorecard` | OSSF Scorecard analysis | `.github/workflows/security-scanning.yml` |
### Additional Checks for Feature Branches
For feature branches, consider requiring:
- `comprehensive-tests / unit-tests`
- `comprehensive-tests / integration-tests`
- `comprehensive-tests / api-tests`
- `comprehensive-tests / blockchain-tests`
## CODEOWNERS Integration
The branch protection should be configured to require review from CODEOWNERS. This ensures that:
1. **Domain experts review relevant changes**
2. **Security team reviews security-sensitive files**
3. **Core team reviews core functionality**
4. **Specialized teams review their respective areas**
### CODEOWNERS Rules Integration
```bash
# Security files require security team review
/security/ @aitbc/security-team
*.pem @aitbc/security-team
# Smart contracts require Solidity team review
/contracts/ @aitbc/solidity-team
*.sol @aitbc/solidity-team
# CLI changes require CLI team review
/cli/ @aitbc/cli-team
aitbc_cli/ @aitbc/cli-team
# Core files require core team review
pyproject.toml @aitbc/core-team
poetry.lock @aitbc/core-team
```
## Pre-commit Hooks Integration
Branch protection works best with pre-commit hooks:
### Required Pre-commit Hooks
```yaml
# .pre-commit-config.yaml
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.5.0
hooks:
- id: trailing-whitespace
- id: end-of-file-fixer
- id: check-yaml
- id: check-json
- id: check-toml
- id: check-merge-conflict
- repo: https://github.com/psf/black
rev: 24.3.0
hooks:
- id: black
language_version: python3.13
- repo: https://github.com/charliermarsh/ruff-pre-commit
rev: v0.1.15
hooks:
- id: ruff
args: [--fix, --exit-non-zero-on-fix]
- repo: https://github.com/pre-commit/mirrors-mypy
rev: v1.8.0
hooks:
- id: mypy
args: [--ignore-missing-imports]
- repo: local
hooks:
- id: dotenv-linter
name: dotenv-linter
entry: python scripts/focused_dotenv_linter.py
language: system
args: [--check]
pass_filenames: false
```
## Workflow Status Checks
### CI Workflow Status
The CI workflows should be configured to provide clear status checks:
```yaml
# .github/workflows/ci.yml
name: CI
on:
push:
branches: ["**"]
pull_request:
branches: ["**"]
jobs:
python:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.13'
- name: Install dependencies
run: |
python -m pip install --upgrade pip poetry
poetry config virtualenvs.create false
poetry install --no-interaction --no-ansi
- name: Lint (ruff)
run: poetry run ruff check .
- name: Check .env.example drift
run: python scripts/focused_dotenv_linter.py --check
- name: Test (pytest)
run: poetry run pytest --cov=aitbc_cli --cov-report=term-missing --cov-report=xml
```
## Security Best Practices
### Commit Signing
Consider requiring signed commits for enhanced security:
```bash
# Configure GPG signing
git config --global commit.gpgsign true
git config --global user.signingkey YOUR_GPG_KEY_ID
```
### Merge Methods
Configure merge methods for different branches:
- **Main branch**: Require squash merge with commit message validation
- **Develop branch**: Allow merge commits with proper PR description
- **Feature branches**: Allow any merge method
### Release Branch Protection
For release branches (e.g., `release/v1.0.0`):
- Require all status checks
- Require 3 approving reviews
- Require review from release manager
- Require signed commits
- Do not allow force pushes or deletions
## Enforcement Policies
### Gradual Rollout
1. **Phase 1**: Enable basic protection (no force pushes, require PR reviews)
2. **Phase 2**: Add status checks for linting and testing
3. **Phase 3**: Add security scanning and comprehensive checks
4. **Phase 4**: Enable CODEOWNERS and signed commits
### Exception Handling
Create a process for emergency bypasses:
1. **Emergency changes**: Allow bypass with explicit approval
2. **Hotfixes**: Temporary reduction in requirements
3. **Documentation**: All bypasses must be documented
### Monitoring and Alerts
Set up monitoring for:
- Failed status checks
- Long-running PRs
- Bypass attempts
- Reviewer availability
## Configuration as Code
### GitHub Configuration
Use GitHub's API or Terraform to manage branch protection:
```hcl
# Terraform example
resource "github_branch_protection" "main" {
repository_id = github_repository.aitbc.node_id
pattern = "main"
required_status_checks {
strict = true
contexts = [
"Lint (ruff)",
"Check .env.example drift",
"Test (pytest)",
"contracts-ci / Lint",
"contracts-ci / Slither Analysis",
"contracts-ci / Compile",
"contracts-ci / Test"
]
}
required_pull_request_reviews {
required_approving_review_count = 2
dismiss_stale_reviews = true
require_code_owner_reviews = true
}
enforce_admins = true
}
```
## Testing Branch Protection
### Validation Tests
Create tests to validate branch protection:
```python
def test_branch_protection_config():
"""Test that branch protection is properly configured"""
# Test main branch protection
main_protection = get_branch_protection("main")
assert main_protection.required_status_checks == EXPECTED_CHECKS
assert main_protection.required_approving_review_count == 2
# Test develop branch protection
develop_protection = get_branch_protection("develop")
assert develop_protection.required_approving_review_count == 1
```
### Integration Tests
Test that workflows work with branch protection:
```python
def test_pr_with_branch_protection():
"""Test PR flow with branch protection"""
# Create PR
pr = create_pull_request()
# Verify status checks run
assert "Lint (ruff)" in pr.status_checks
assert "Test (pytest)" in pr.status_checks
# Verify merge is blocked until checks pass
assert pr.mergeable == False
```
## Troubleshooting
### Common Issues
1. **Status checks not appearing**: Ensure workflows have proper names
2. **CODEOWNERS not working**: Verify team names and permissions
3. **Pre-commit hooks failing**: Check hook configuration and dependencies
4. **Merge conflicts**: Enable branch up-to-date requirements
### Debugging Commands
```bash
# Check branch protection settings
gh api repos/aitbc/aitbc/branches/main/protection
# Check required status checks
gh api repos/aitbc/aitbc/branches/main/protection/required_status_checks
# Check CODEOWNERS rules
gh api repos/aitbc/aitbc/contents/CODEOWNERS
# Check recent workflow runs
gh run list --branch main
```
## Documentation and Training
### Team Guidelines
Create team guidelines for:
1. **PR creation**: How to create compliant PRs
2. **Review process**: How to conduct effective reviews
3. **Bypass procedures**: When and how to request bypasses
4. **Troubleshooting**: Common issues and solutions
### Onboarding Checklist
New team members should be trained on:
1. Branch protection requirements
2. Pre-commit hook setup
3. CODEOWNERS review process
4. Status check monitoring
## Conclusion
Proper branch protection configuration ensures code quality, security, and collaboration standards. By implementing these settings, the AITBC repository maintains high standards while enabling efficient development workflows.
Regular review and updates to branch protection settings ensure they remain effective as the project evolves.
Reference in New Issue View Git Blame Copy Permalink