Merge pull request #224 from Silvia-Wachira/update_branch_protection

Implement Exclusion of Exempt Users
creativecommons · Oct 15, 2024 · 532203e · 532203e
2 parents fbd4764 + f2bb29c
commit 532203e
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 4 deletions.
diff --git a/ccos/norm/branch_protections.yml b/ccos/norm/branch_protections.yml
@@ -1,3 +1,8 @@
+# Specify repositories that are excluded from branch protections.
+#
+# Format:
+#   # comment indicating reason for exclusion
+#   - REPOSITORY
 EXEMPT_REPOSITORIES:
   # special purpose repo
   - australian-chapter
@@ -9,13 +14,27 @@ EXEMPT_REPOSITORIES:
   - global-network-strategy
   # special purpose repo
   - network-platforms
-  # exempted for bot pushes to default branch
-  - quantifying
   # special purpose repo
   - sre-wiki-js
   # special purpose repo
   - tech-support
 
+# Specify non-exempt repositories requiring specific status checks
+#
+# Format:
+#   REPOSITORY:
+#     - STATUS_CHECK_NAME
 REQUIRED_STATUS_CHECK_MAP:
   creativecommons.github.io-source:
     - Build and Deploy CC Open Source
+
+# Specify non-exempt repositories and the  people, teams, or apps who are
+# allowed to bypass required pull requests (PRs)
+#
+# Format:
+#   REPOSITORY:
+#     - GITHUB_USER_TEAM_OR_APP
+#     - GITHUB_USER_TEAM_OR_APP
+EXEMPT_USERS:
+  quantifying:
+    - cc-quantifying-bot
diff --git a/normalize_repos.py b/normalize_repos.py
@@ -110,6 +110,9 @@ def update_branch_protection(repo):
     config = load_branch_protection_config()
     exempt_repositories = config["EXEMPT_REPOSITORIES"]
     required_status_check_map = config["REQUIRED_STATUS_CHECK_MAP"]
+
+    exempt_users = config.get("EXEMPT_USERS", {}).get(repo.name, [])
+
     if repo.name not in exempt_repositories and is_engineering_project(repo):
         LOG.info(f"{repo.name}: updating branch protections")
         # The following empty *_bypass_pull_request_allowance arguments ensure
@@ -121,15 +124,15 @@ def update_branch_protection(repo):
                 required_approving_review_count=1,
                 user_push_restrictions=[],
                 contexts=required_status_check_map[repo.name],
-                users_bypass_pull_request_allowances=[],
+                users_bypass_pull_request_allowances=exempt_users,
                 teams_bypass_pull_request_allowances=[],
                 apps_bypass_pull_request_allowances=[],
             )
         else:
             default_branch.edit_protection(
                 required_approving_review_count=1,
                 user_push_restrictions=[],
-                users_bypass_pull_request_allowances=[],
+                users_bypass_pull_request_allowances=exempt_users,
                 teams_bypass_pull_request_allowances=[],
                 apps_bypass_pull_request_allowances=[],
             )
@@ -140,6 +143,7 @@ def update_branch_protection(repo):
 def update_branches(args, repos):
     if args.skip_branches:
         return
+
     LOG.info("Evaluting repositories for branch protections...")
     for repo in repos:
         update_branch_protection(repo)