Skip to content

Revert "lock-release.yml: Use legacy branch protection instead of rulesets" #7719

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
siddharthkp merged 1 commit into from
Mar 30, 2026
+35 −21
Merged

Revert "lock-release.yml: Use legacy branch protection instead of rulesets" #7719

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 35 additions & 21 deletions .github/workflows/lock-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,26 +29,23 @@ jobs:
owner: primer
repositories: react
private-key: ${{ secrets.PRIMER_APP_PRIVATE_KEY_SHARED }}
- name: Lock main branch
- name: Toggle rulesets
run: |
# Lock main but allow react-release-conductor team to push
# Allow react-release-conductor to bypass merge queue
gh api \
--method PUT \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
/repos/primer/react/branches/main/protection \
--input - <<EOF
{
"lock_branch": true,
"restrictions": {
"teams": ["react-release-conductor"],
"users": []
},
"required_status_checks": null,
"enforce_admins": true,
"required_pull_request_reviews": null
}
EOF
/repos/primer/react/rulesets/4089335 \
-F "bypass_actors[][actor_id]=12276524" \
-f "bypass_actors[][actor_type]=Team" \
-f "bypass_actors[][bypass_mode]=always"
Comment on lines +32 to +42
Copy link

Copilot AI Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description says the previous ruleset-based approach was reverted because bypass exceptions for release conductor do not work, but this change reintroduces ruleset bypass configuration. Can you clarify the intended behavior (rulesets vs legacy branch protection) and update either the workflow or PR description so they match?

Copilot uses AI. Check for mistakes.
gh api \
--method PUT \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
/repos/primer/react/rulesets/3801256 \
-f "enforcement=active"
Comment on lines 35 to +48
Copy link

Copilot AI Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This workflow hard-codes ruleset IDs (4089335/3801256) and a team actor_id (12276524). If a ruleset is recreated or the team ID changes, the lock/unlock automation will silently break. Consider moving these to repository variables/secrets and/or looking up the ruleset/team by name at runtime before calling gh api.

This issue also appears on line 83 of the same file.

Copilot uses AI. Check for mistakes.
env:
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}

Expand All @@ -65,15 +62,32 @@ jobs:
owner: primer
repositories: react
private-key: ${{ secrets.PRIMER_APP_PRIVATE_KEY_SHARED }}
- name: Unlock main branch
- name: Toggle rulesets
run: |
# Delete the branch protection rule entirely.
# Note: This workflow is the only thing using legacy branch protection.
# All other branch rules use rulesets, which are unaffected by this delete.
gh api \
--method DELETE \
--method PUT \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
/repos/primer/react/rulesets/4089335 \
-F "bypass_actors[]"
Copy link

Copilot AI Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

-F "bypass_actors[]" is unlikely to clear the ruleset bypass list (it may serialize as an empty element rather than an empty array, or be rejected by the API schema). Use an explicit empty array payload for bypass_actors so the unlock step reliably removes the bypass actors.

Suggested change
-F "bypass_actors[]"
-f "bypass_actors=[]"

Copilot uses AI. Check for mistakes.
gh api \
--method PUT \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
/repos/primer/react/branches/main/protection
/repos/primer/react/rulesets/3801256 \
-f "enforcement=disabled"
env:
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
- name: Update all PRs that are toggled merge when ready
run: |
PR_NUMBERS=$(gh pr list -L 100 -R primer/react --state open --json number,baseRefName,autoMergeRequest,reviewDecision -q '.[] | select(.autoMergeRequest != null) | select(.baseRefName == "main") | select(.reviewDecision == "APPROVED") | .number')
if [ -n "$PR_NUMBERS" ]; then
echo "Updating $PR_NUMBERS"
for pr in $PR_NUMBERS; do
gh pr update-branch -R primer/react "$pr" || echo "Warning: failed to update PR #$pr (likely has conflicts)"
done
else
echo "No PRs to update."
fi
env:
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
Loading