diff --git a/.github/workflows/branch-protection.yml b/.github/workflows/branch-protection.yml index b97c930..0e3eea4 100644 --- a/.github/workflows/branch-protection.yml +++ b/.github/workflows/branch-protection.yml @@ -12,31 +12,33 @@ jobs: pull-requests: write administration: write steps: - - name: "Apply protection to 'develop' branch" + - name: "Apply protection to default branch" uses: actions/github-script@v6 with: script: | const owner = context.repo.owner; const repo = context.repo.repo; - const branch = 'develop'; - // configure a simple protection policy: require status checks - // and at least one approving review before merge - await github.repos.updateBranchProtection({ + // Determine the default branch (master or main) + const { data: repoData } = await github.rest.repos.get({ owner, repo }); + const branch = repoData.default_branch; + console.log(`Applying protection to default branch: ${branch}`); + + await github.rest.repos.updateBranchProtection({ owner, repo, branch, required_status_checks: { strict: true, contexts: [ - 'Ensure PRs target develop', - 'Lint', - 'Unit Tests', + 'Verify PR target branch', + 'Lint (clippy)', + 'Unit Tests & Coverage', 'Integration Tests (Postgres + Redis)', - 'Security Scan' + 'Security Scan (cargo-audit)' ] }, - enforce_admins: true, + enforce_admins: false, required_pull_request_reviews: { require_code_owner_reviews: false, required_approving_review_count: 1 @@ -49,9 +51,11 @@ jobs: uses: actions/github-script@v6 with: script: | - const { data } = await github.repos.getBranchProtection({ - owner: context.repo.owner, - repo: context.repo.repo, - branch: 'develop' + const owner = context.repo.owner; + const repo = context.repo.repo; + const { data: repoData } = await github.rest.repos.get({ owner, repo }); + const branch = repoData.default_branch; + const { data } = await github.rest.repos.getBranchProtection({ + owner, repo, branch }); console.log(JSON.stringify(data, null, 2)); diff --git a/.github/workflows/ci-cd.yml b/.github/workflows/ci-cd.yml index fba36f6..b852db4 100644 --- a/.github/workflows/ci-cd.yml +++ b/.github/workflows/ci-cd.yml @@ -26,18 +26,20 @@ permissions: security-events: write jobs: - # ── Guard: PRs must target develop, not main ──────────────────────────────── + # ── Guard: PRs must target develop or master, not an arbitrary branch ──────── check-target: - name: Ensure PRs target develop + name: Verify PR target branch runs-on: ubuntu-latest if: github.event_name == 'pull_request' steps: - name: Verify base branch run: | - if [ "${{ github.event.pull_request.base.ref }}" = "main" ]; then - echo "🚫 Pull requests must target 'develop', not 'main'." + BASE="${{ github.event.pull_request.base.ref }}" + if [[ "$BASE" != "develop" && "$BASE" != "master" && "$BASE" != "main" ]]; then + echo "🚫 Pull requests must target 'develop', 'master', or 'main'. Got: $BASE" exit 1 fi + echo "✅ PR targets valid base branch: $BASE" # ── Change detection ──────────────────────────────────────────────────────── changes: