From 286593f89e4b53a9734e48c5edd4821f6a725e12 Mon Sep 17 00:00:00 2001
From: Silvia-Wachira <wachirasilvia8.com>
Date: Mon, 7 Oct 2024 14:07:22 +0300
Subject: [PATCH 1/4] update the function update_branch_protection

---
 ccos/norm/branch_protections.yml | 5 ++++-
 normalize_repos.py               | 7 +++++--
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/ccos/norm/branch_protections.yml b/ccos/norm/branch_protections.yml
index d9ae382..a14e0b1 100644
--- a/ccos/norm/branch_protections.yml
+++ b/ccos/norm/branch_protections.yml
@@ -10,7 +10,10 @@ EXEMPT_REPOSITORIES:
   # special purpose repo
   - network-platforms
   # exempted for bot pushes to default branch
-  - quantifying
+  - quantifying:
+    exempt_users:
+      -bot1
+      -bot2
   # special purpose repo
   - sre-wiki-js
   # special purpose repo
diff --git a/normalize_repos.py b/normalize_repos.py
index 2ac254e..efbedd5 100755
--- a/normalize_repos.py
+++ b/normalize_repos.py
@@ -110,6 +110,9 @@ def update_branch_protection(repo):
     config = load_branch_protection_config()
     exempt_repositories = config["EXEMPT_REPOSITORIES"]
     required_status_check_map = config["REQUIRED_STATUS_CHECK_MAP"]
+    
+    exempt_users = config.get["exempt_users, {}).get(repo.name, [])"]
+
     if repo.name not in exempt_repositories and is_engineering_project(repo):
         LOG.info(f"{repo.name}: updating branch protections")
         # The following empty *_bypass_pull_request_allowance arguments ensure
@@ -121,7 +124,7 @@ def update_branch_protection(repo):
                 required_approving_review_count=1,
                 user_push_restrictions=[],
                 contexts=required_status_check_map[repo.name],
-                users_bypass_pull_request_allowances=[],
+                users_bypass_pull_request_allowances=exempt_users,
                 teams_bypass_pull_request_allowances=[],
                 apps_bypass_pull_request_allowances=[],
             )
@@ -129,7 +132,7 @@ def update_branch_protection(repo):
             default_branch.edit_protection(
                 required_approving_review_count=1,
                 user_push_restrictions=[],
-                users_bypass_pull_request_allowances=[],
+                users_bypass_pull_request_allowances=exempt_users,
                 teams_bypass_pull_request_allowances=[],
                 apps_bypass_pull_request_allowances=[],
             )

From 859918c9d14cad2e5f80189ffc9c48d851169f6d Mon Sep 17 00:00:00 2001
From: Silvia-Wachira <wachirasilvia8.com>
Date: Tue, 8 Oct 2024 23:59:19 +0300
Subject: [PATCH 2/4] update branch protection by making relevant changes

---
 ccos/norm/branch_protections.yml | 4 ++--
 normalize_repos.py               | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/ccos/norm/branch_protections.yml b/ccos/norm/branch_protections.yml
index a14e0b1..dc9abfe 100644
--- a/ccos/norm/branch_protections.yml
+++ b/ccos/norm/branch_protections.yml
@@ -12,8 +12,8 @@ EXEMPT_REPOSITORIES:
   # exempted for bot pushes to default branch
   - quantifying:
     exempt_users:
-      -bot1
-      -bot2
+      # - bot1 
+      # - bot2 
   # special purpose repo
   - sre-wiki-js
   # special purpose repo
diff --git a/normalize_repos.py b/normalize_repos.py
index efbedd5..253aeb6 100755
--- a/normalize_repos.py
+++ b/normalize_repos.py
@@ -111,7 +111,7 @@ def update_branch_protection(repo):
     exempt_repositories = config["EXEMPT_REPOSITORIES"]
     required_status_check_map = config["REQUIRED_STATUS_CHECK_MAP"]
     
-    exempt_users = config.get["exempt_users, {}).get(repo.name, [])"]
+    exempt_users = config.get("EXEMP_USERS", {}).get(repo.name, [])
 
     if repo.name not in exempt_repositories and is_engineering_project(repo):
         LOG.info(f"{repo.name}: updating branch protections")

From 6326cb2f5e6d8316ffda054dbc0ce06b0ab38ac5 Mon Sep 17 00:00:00 2001
From: Silvia-Wachira <wachirasilvia8.com>
Date: Wed, 9 Oct 2024 18:27:19 +0300
Subject: [PATCH 3/4] update the branch_protections.yml file by adding a
 top-level EXEMPT_USERS section

---
 ccos/norm/branch_protections.yml | 20 +++++++++++++++-----
 normalize_repos.py               |  3 ++-
 2 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/ccos/norm/branch_protections.yml b/ccos/norm/branch_protections.yml
index dc9abfe..dd5d64b 100644
--- a/ccos/norm/branch_protections.yml
+++ b/ccos/norm/branch_protections.yml
@@ -9,16 +9,26 @@ EXEMPT_REPOSITORIES:
   - global-network-strategy
   # special purpose repo
   - network-platforms
-  # exempted for bot pushes to default branch
-  - quantifying:
-    exempt_users:
-      # - bot1 
-      # - bot2 
   # special purpose repo
   - sre-wiki-js
   # special purpose repo
   - tech-support
 
 REQUIRED_STATUS_CHECK_MAP:
+  # Non-exempt repository requiring specific status checks
   creativecommons.github.io-source:
     - Build and Deploy CC Open Source
+
+EXEMPT_USERS:
+  quantifying:
+    # List of users or bots that can bypass restrictions for this repository
+    # Uncomment below to enable these users
+    # - bot1 
+    # - bot2 
+
+# Other repositories and exempt users can be added below
+another-repo:
+  # Specify exempt users for this repository
+  # Uncomment and add users as needed
+  # - bot3
+  # - bot4
diff --git a/normalize_repos.py b/normalize_repos.py
index 253aeb6..02350f1 100755
--- a/normalize_repos.py
+++ b/normalize_repos.py
@@ -111,7 +111,7 @@ def update_branch_protection(repo):
     exempt_repositories = config["EXEMPT_REPOSITORIES"]
     required_status_check_map = config["REQUIRED_STATUS_CHECK_MAP"]
     
-    exempt_users = config.get("EXEMP_USERS", {}).get(repo.name, [])
+    exempt_users = config.get("EXEMPT_USERS", {}).get(repo.name, [])
 
     if repo.name not in exempt_repositories and is_engineering_project(repo):
         LOG.info(f"{repo.name}: updating branch protections")
@@ -143,6 +143,7 @@ def update_branch_protection(repo):
 def update_branches(args, repos):
     if args.skip_branches:
         return
+    
     LOG.info("Evaluting repositories for branch protections...")
     for repo in repos:
         update_branch_protection(repo)

From f2bb29c86b5627a2c08e89e8407333353cafbb3d Mon Sep 17 00:00:00 2001
From: Timid Robot Zehta <timid@creativecommons.org>
Date: Tue, 15 Oct 2024 10:05:41 -0700
Subject: [PATCH 4/4] document and update/correct branch protections
 configuration

---
 ccos/norm/branch_protections.yml | 30 ++++++++++++++++++------------
 1 file changed, 18 insertions(+), 12 deletions(-)

diff --git a/ccos/norm/branch_protections.yml b/ccos/norm/branch_protections.yml
index dd5d64b..d9cad5d 100644
--- a/ccos/norm/branch_protections.yml
+++ b/ccos/norm/branch_protections.yml
@@ -1,3 +1,8 @@
+# Specify repositories that are excluded from branch protections.
+#
+# Format:
+#   # comment indicating reason for exclusion
+#   - REPOSITORY
 EXEMPT_REPOSITORIES:
   # special purpose repo
   - australian-chapter
@@ -14,21 +19,22 @@ EXEMPT_REPOSITORIES:
   # special purpose repo
   - tech-support
 
+# Specify non-exempt repositories requiring specific status checks
+#
+# Format:
+#   REPOSITORY:
+#     - STATUS_CHECK_NAME
 REQUIRED_STATUS_CHECK_MAP:
-  # Non-exempt repository requiring specific status checks
   creativecommons.github.io-source:
     - Build and Deploy CC Open Source
 
+# Specify non-exempt repositories and the  people, teams, or apps who are
+# allowed to bypass required pull requests (PRs)
+#
+# Format:
+#   REPOSITORY:
+#     - GITHUB_USER_TEAM_OR_APP
+#     - GITHUB_USER_TEAM_OR_APP
 EXEMPT_USERS:
   quantifying:
-    # List of users or bots that can bypass restrictions for this repository
-    # Uncomment below to enable these users
-    # - bot1 
-    # - bot2 
-
-# Other repositories and exempt users can be added below
-another-repo:
-  # Specify exempt users for this repository
-  # Uncomment and add users as needed
-  # - bot3
-  # - bot4
+    - cc-quantifying-bot