Add support for YAML references

[ppkarwasz]

When configuring exactly the same branch protection rules for multiple branches, it would be useful to use YAML anchor and references, for example:

# Enforce Review-then-Commit
protected_branches:
  2.x: &default_protection
    # All commits must be signed
    required_signatures: true
    # All reviews must be addressed before merging
    required_conversation_resolution: true
    # Require checks to pass before merging
    required_status_checks:
      checks:
        # The GitHub Actions app: 15368
        - app_id: 15368
          context: "build"
        - app_id: 15368
          context: "codeql-analysis"
    # At least one positive review must be present
    required_pull_request_reviews:
      required_approving_review_count: 1
  main: *default_protection

As far as I know strictyaml does not allow this feature for security reasons.
In this case an alternative might be allowing to specify the name of the branch that has an identical configuration:

# Enforce Review-then-Commit
protected_branches:
  2.x:
    # All commits must be signed
    required_signatures: true
    # All reviews must be addressed before merging
    required_conversation_resolution: true
    # Require checks to pass before merging
    required_status_checks:
      checks:
        # The GitHub Actions app: 15368
        - app_id: 15368
          context: "build"
        - app_id: 15368
          context: "codeql-analysis"
    # At least one positive review must be present
    required_pull_request_reviews:
      required_approving_review_count: 1
  main: "2.x"

[netomi]

The reason node anchors are not supported in strictyaml sounds more opinionated rather than being a security concern:

https://hitchdev.com/strictyaml/why/node-anchors-and-references-removed/

While the intent of the feature is obvious (it lets you deduplicate code), the effect is to make the markup more or less unreadable to non-programmers.

I think this supporting node anchors would make strictyaml much more complex, but thats just a wild guess.

[netomi]

We could model it like that:

# Enforce Review-then-Commit
protected_branches:
  2.x:
    # All commits must be signed
    required_signatures: true
    # All reviews must be addressed before merging
    required_conversation_resolution: true
    # Require checks to pass before merging
    required_status_checks:
      checks:
        # The GitHub Actions app: 15368
        - app_id: 15368
          context: "build"
        - app_id: 15368
          context: "codeql-analysis"
    # At least one positive review must be present
    required_pull_request_reviews:
      required_approving_review_count: 1
  main:
    from: "2.x"
    with:
      required_pull_request_reviews:
        required_approving_review_count: 0

where from defines the base configuration to use, and with allows to override specific values if needed.

The schema could be adapted to allow the base branch protection settings via the existing MapPattern or the from use where the with would use the same MapPattern itself.

[ppkarwasz]

Sounds good to me. You can assign me to the issue and I'll try to make a PR to implement it.