ops: document deploy secrets and enforce main branch protection
This commit is contained in:
every.channel
parent
d89d3100f6
commit
f3f2b046b7
3 changed files with 178 additions and 9 deletions
35
docs/BRANCH_PROTECTION.md
Normal file
35
docs/BRANCH_PROTECTION.md
Normal file
|
|
@ -0,0 +1,35 @@
|
|||
# Branch Protection (Codeberg)
|
||||
|
||||
`main` should be protected to satisfy constitutional governance (`all changes merge through pull requests`) and to require CI before merge.
|
||||
|
||||
## Required settings
|
||||
|
||||
- Protected branch: `main`
|
||||
- Direct pushes disabled
|
||||
- Required approvals: `1` (or stricter)
|
||||
- Required status checks:
|
||||
- `ci-gates / checks`
|
||||
- Require signed commits: enabled
|
||||
|
||||
## Apply via script
|
||||
|
||||
```sh
|
||||
./scripts/fj-enforce-branch-protection.sh
|
||||
```
|
||||
|
||||
Optional overrides:
|
||||
|
||||
```sh
|
||||
EVERY_CHANNEL_FORGE_REPO=every-channel/every.channel \
|
||||
EVERY_CHANNEL_PROTECTED_BRANCH=main \
|
||||
EVERY_CHANNEL_REQUIRED_CHECKS="ci-gates / checks" \
|
||||
EVERY_CHANNEL_REQUIRED_APPROVALS=1 \
|
||||
./scripts/fj-enforce-branch-protection.sh
|
||||
```
|
||||
|
||||
Token source order:
|
||||
|
||||
1. `CODEBERG_TOKEN` env var
|
||||
2. `secrets/codeberg-token.age` via `agenix` or `age`
|
||||
|
||||
The token must have repository admin scope to edit branch protection.
|
||||
Loading…
Add table
Add a link
Reference in a new issue