37 lines
1 KiB
Markdown
37 lines
1 KiB
Markdown
# Branch Protection (Forgejo Primary)
|
|
|
|
`main` should be protected to satisfy constitutional governance (`all changes merge through pull requests`) and to require CI before merge.
|
|
|
|
## Required settings
|
|
|
|
- Protected branch: `main`
|
|
- Direct pushes disabled
|
|
- Required approvals: `1` (or stricter)
|
|
- Required status checks:
|
|
- `ci-gates / checks`
|
|
- Require signed commits: enabled
|
|
|
|
## Apply via script
|
|
|
|
```sh
|
|
./scripts/fj-enforce-branch-protection.sh
|
|
```
|
|
|
|
Optional overrides:
|
|
|
|
```sh
|
|
EVERY_CHANNEL_FORGE_HOST=https://forge.every.channel \
|
|
EVERY_CHANNEL_FORGE_REPO=every-channel/every.channel \
|
|
EVERY_CHANNEL_PROTECTED_BRANCH=main \
|
|
EVERY_CHANNEL_REQUIRED_CHECKS="ci-gates / checks" \
|
|
EVERY_CHANNEL_REQUIRED_APPROVALS=1 \
|
|
./scripts/fj-enforce-branch-protection.sh
|
|
```
|
|
|
|
Token source order:
|
|
|
|
1. `EVERY_CHANNEL_FORGE_TOKEN` / `FORGE_TOKEN` / `CODEBERG_TOKEN` env var
|
|
2. `secrets/forge-token.age` (preferred) via `agenix` or `age`
|
|
3. `secrets/codeberg-token.age` (compat) via `agenix` or `age`
|
|
|
|
The token must have repository admin scope to edit branch protection.
|