[RFE] Standardize Pull Request, Merging workflow and branch protection rules

[John15321]

In the Flatcar organization, many repositories still lack branch-protection rules, and Pull-Request workflows vary widely from repo to repo. Below is a unified configuration proposal that can be applied to most repositories (some may require special settings).

---

1. Default branch

• Set the default branch to main (or master).
  Most modern tools default to main, so choosing main simplifies integrations.

---

2. Pull-Request settings

• Allow squash merging only
  Disallow “Merge commits” and “Rebase merging.” Squash merging produces a single commit per PR on the default branch, yielding a clean, linear history. The commit message defaults to the PR title + description, and the squash commit links back to the PR for traceability.
• “Suggest updating branch”
  Encourages contributors to rebase their branch onto the latest default-branch changes. (You can later require branches to be up to date.)
• Enable auto-merge once all requirements are met (approvals, CI).
• Automatically delete head branches after merge to keep the branch list tidy.

---

3. Branch ruleset for the default branch

Create a ruleset targeting your default branch.

---

4. Bypass permissions

Maintainer-level teams should be granted “bypass” privileges so they can override rules when necessary.

---

5. Target branches

Set the rule’s target to your default branch (e.g. main).

---

6. Individual rules

1. Restrict deletions — prevent accidental branch deletion (default ON).

2. Require linear history — forces contributors to rebase before merging.

   

3. Require review from Code Owners

   • Ensures designated owners sign off on changes.
   • Discussion: flatcar/Flatcar #1665
   • Learn about CODEOWNERS: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners

4. Require approval of the most recent reviewable push — guarantees the final approved commit is what gets merged.

5. Require conversation resolution before merging — ensures all review comments are addressed.

6. Allowed merge methods: Squash

   

7. Require status checks to pass — CI must succeed before merge.

8. Require branches to be up to date before merging — enforces rebasing onto the latest default branch.

   

9. Block force pushes — (optional; default ON; open for discussion).

   

10. Require code-scanning results — integrate your chosen code-scanning tool on every repo.

    

Note: These settings serve as guidelines—or “rails”—to keep our workflow consistent and maintain a clean history. Maintainers retain the ability to bypass or adjust any rule when exceptional circumstances arise.

[John15321]

List of repos without main branch protection:

• [ ] https://github.com/flatcar/ue-rs
• [ ] https://github.com/flatcar/flatcar-cloud-image-uploader
• [ ] https://github.com/flatcar/flatcar-terraform
• [ ] https://github.com/flatcar/container-linux-config-transpiler
• [ ] https://github.com/flatcar/locksmith
• [ ] https://github.com/flatcar/sysext-bakery
• [ ] https://github.com/flatcar/flatcar-demos
• [ ] https://github.com/flatcar/update-ssh-keys
• [ ] https://github.com/flatcar/flatcar-dev-util
• [ ] https://github.com/flatcar/flatcar-build-scripts
• [ ] https://github.com/flatcar/mayday
• [ ] https://github.com/flatcar/flatcar-release-mirror
• [ ] https://github.com/flatcar/flatcar-packer-qemu
• [ ] https://github.com/flatcar/updateservicectl
• [ ] https://github.com/flatcar/flatcar-cpe-util
• [ ] https://github.com/flatcar/flatcar-maintainer-private

[tormath1]

Thanks, this all looks good to me. Question: can we set this from the template repo? To avoid thinking about this when creating new repos?

I just have some concerns regarding the "squash & merge":

• it does not preserve the signature of the commit author but it uses the GitHub signature (e.g here: https://github.com/tormath1/scripts/commit/35297bb436f9d08a7ff4c74975723f36794a5430)
• for some features, it's easier to split development into commits to use later. E.g when upgrading a package on ::coreos-overlay, we usually have one commit: sync with Gentoo and second apply Flatcar downstream modifications the last one would be lost when squashing so for the next upgrade it could be challenging to retrieve those downstream modifications.
• having split commits can ease the revert of some specific part of a feature implementation (search for git log --grep Revert in Mantle or Scripts project for example)

For the "Block force pushes — (optional; default ON; open for discussion)." - it does apply only on main branch right?

[John15321]

Thanks, this all looks good to me. Question: can we set this from the template repo? To avoid thinking about this when creating new repos?

I just have some concerns regarding the "squash & merge":

• it does not preserve the signature of the commit author but it uses the GitHub signature (e.g here: tormath1/scripts@35297bb)
• for some features, it's easier to split development into commits to use later. E.g when upgrading a package on ::coreos-overlay, we usually have one commit: sync with Gentoo and second apply Flatcar downstream modifications the last one would be lost when squashing so for the next upgrade it could be challenging to retrieve those downstream modifications.
• having split commits can ease the revert of some specific part of a feature implementation (search for git log --grep Revert in Mantle or Scripts project for example)

For the "Block force pushes — (optional; default ON; open for discussion)." - it does apply only on main branch right?

Hey @tormath1! Thanks for taking a look at this 😄

When it comes to using the GitHub Templates to spread the configuration - as far as I know unfortunately no. I know people sometimes do it via fancy GitHub actions but thats about it

As for signatures on commits - my honest response is that I dont know how to fix this issue. I will try to research more on this topic and get back to you.

When it comes to splitting development. Personally I have always been of the idea that a commit to main/PR, should represent one, singular thing, thus being easy to revert. But this is of course very abstract and sometimes it will not make sense for a given project, so I would say that in that case the solutions for that would be to revert the change, and then use the branch to create a new one, extract wanted commits and create a new PR/merge into main. - But yeah its not ideal

For the "Block force pushes — (optional; default ON; open for discussion)." - it does apply only on main branch right?

I think if the main is the default one, then it applies to main?

[sayanchowdhury]

Pt. 2, IMO, I’m happy with the current system as it helps preserve history — provided the PR commits are properly arranged. Additionally, it makes reverts easier. We should establish guidelines on how to organize PRs and commits. I’d also recommend avoiding auto-merging PRs, even if all checks pass. Merging should be done manually to provide a minimal gating layer.

Pt. 6, I believe we should ensure that PRs do not include merge commits. I noticed some PRs had them, and in such cases, we should ask contributors to tidy up the commit history. And Pt. 6.5: It can remain disabled — I'm a bit divided on that.

Everything else looks good.

[John15321]

Pt. 2, IMO, I’m happy with the current system as it helps preserve history — provided the PR commits are properly arranged. Additionally, it makes reverts easier. We should establish guidelines on how to organize PRs and commits. I’d also recommend avoiding auto-merging PRs, even if all checks pass. Merging should be done manually to provide a minimal gating layer.

Pt. 6, I believe we should ensure that PRs do not include merge commits. I noticed some PRs had them, and in such cases, we should ask contributors to tidy up the commit history. And Pt. 6.5: It can remain disabled — I'm a bit divided on that.

Everything else looks good.

I understand the argument for avoiding auto merges. Personally im 50/50 split on this - so I dont mind not using that.

Apart from this are there any other things you would change in order to implement it in all of Flatcar? @sayanchowdhury

[chewi]

I don't usually have strong opinions on these things, but I really don't want to force squashing. I always strive to have clean separate commits with good descriptions for each. This helps me enormously, as I look back through the history very frequently. I encourage others to do the same, but I recognise that not everyone works the same way, and some find git difficult to handle. I therefore think that squashing should still be an option for times when pushing for a cleaner history would lead to a negative experience for the contributor.

I don't really mind about merge commits. I understand them, but they can be confusing for others. Gentoo's main package repository bans them because they don't make sense when the changes made by different people are largely unrelated, i.e. does it really matter what the state of app-editors/nano was when sys-apps/systemd was modified? Most changes to flatcar/scripts relate to packages, so we could make the same argument there.

I force push to my own branches all the time. I have force pushed to main on very rare occasions when I thought I could get away with it, but I don't think that's sensible for Flatcar. If we really need to do it, we could temporarily change that rule following a discussion.

[ader1990]

Squashing, for example in the case of https://github.com/flatcar/scripts/pull/2300, would have broken some pretty good future understanding / scenarios like: revert one commit if needed, track the commit that was good or wrong, see the big picture in a better way as it is split in rather good atomic parts.

[ader1990]

Pt. 2, IMO, I’m happy with the current system as it helps preserve history — provided the PR commits are properly arranged. Additionally, it makes reverts easier. We should establish guidelines on how to organize PRs and commits. I’d also recommend avoiding auto-merging PRs, even if all checks pass. Merging should be done manually to provide a minimal gating layer.

Pt. 6, I believe we should ensure that PRs do not include merge commits. I noticed some PRs had them, and in such cases, we should ask contributors to tidy up the commit history. And Pt. 6.5: It can remain disabled — I'm a bit divided on that.

Everything else looks good.

I would suggest that the Flatcar merging workflow uses the dual responsibility of merge: currently, the maintainer owner of the PR needs to merge it. I would change this to have another maintainer merge a maintainer's PR, to share responsibility. This dual sharing of merge responsibility is used in almost all of the OpenStack projects.

[jepio]

Definitely no to squash merges. Individual commits group an isolated diff with a matching description. This is super valuable when reviewing history for a long lived project like Flatcar. Additionally the historical context/sequence of changes within a branch helps understand the interactions between commits. Squash merging loses all of that.

Enforcing merge commits keeps all that information. It is also possible to revert a whole merge commit or each individual commit if the rest is fine.

So I'd say we should allow only merging through merge commits. git log --first-parent --oneline provides a linear condensed view when needed and you still have the option to drop into individual commits.

And we shouldn't be asking people to rebase branches by default either - only when necessary: when there are conflicts or dependencies or to cleanup commits. Rebasing invalidates any testing that a contributor did prior to the rebase, and the point at which a branch was started is also useful information.

I like that people are looking at the contributor experience, so we should tolerate merge commits in external PR branches or maintainers should clean up history when needed, but not put that burden on contributors. Internally we should keep the history within each branch at a high standard: reasonable split into (small-ish) commits, good commits messages, no WIP/TMP/attempts. This investment pays dividends later down the line for us.

[John15321]

Pt. 2, IMO, I’m happy with the current system as it helps preserve history — provided the PR commits are properly arranged. Additionally, it makes reverts easier. We should establish guidelines on how to organize PRs and commits. I’d also recommend avoiding auto-merging PRs, even if all checks pass. Merging should be done manually to provide a minimal gating layer. Pt. 6, I believe we should ensure that PRs do not include merge commits. I noticed some PRs had them, and in such cases, we should ask contributors to tidy up the commit history. And Pt. 6.5: It can remain disabled — I'm a bit divided on that. Everything else looks good.

I would suggest that the Flatcar merging workflow uses the dual responsibility of merge: currently, the maintainer owner of the PR needs to merge it. I would change this to have another maintainer merge a maintainer's PR, to share responsibility. This dual sharing of merge responsibility is used in almost all of the OpenStack projects.

Thanks for laying this out so clearly! I agree with your points 😄

And I really like your suggestion about dual responsibility for merging maintainer-authored PRs. That kind of peer review and shared accountability aligns well with how other mature projects operate and could be a great fit for us too.

[John15321]

Thanks again for all the thoughtful input!

I completely get the preference for merge commits in more complex PRs - being able to review individual commits and preserve context is incredibly valuable, and I agree that we should absolutely keep that as an option.

That said, what do you think about supporting both merge commits and squash commits, depending on the nature of the PR? For smaller or simpler changes, squash merges can help keep the history clean and reduce overhead. In many of those cases, the commit history isn’t something people will read through later - it often just serves as a kind of working backup during development. And for very simple changes, taking excessive care to craft a perfect commit history might be more time-consuming than it’s worth.

This kind of hybrid approach could give us flexibility while still encouraging good practices where they matter most. Curious to hear your thoughts! 😄

[tormath1]

That said, what do you think about supporting both merge commits and squash commits, depending on the nature of the PR? For smaller or simpler changes, squash merges can help keep the history clean and reduce overhead. In many of those cases, the commit history isn’t something people will read through later - it often just serves as a kind of working backup during development. And for very simple changes, taking excessive care to craft a perfect commit history might be more time-consuming than it’s worth.

When it comes to "depending on the nature of the PR" this is where things become more complicated as this opinion might diverge from one to the other. Some folks will see a "squash & merge" while others will see a "merge" and then you lost the goal of this effort: bring standardization.

I think we can go-ahead with all the other steps, but the step 6 might stay on "merge commits".

Two things:

• As mentioned previously, we must double-check that the "force push" removal only applies to main branches. (e.g on a dev branch you force push most of the time)
• For step 7: Require status checks to pass — CI must succeed before merge, it's currently blocked by: https://github.com/flatcar/Flatcar/issues/1726

[John15321]

When it comes to "depending on the nature of the PR" this is where things become more complicated as this opinion might diverge from one to the other. Some folks will see a "squash & merge" while others will see a "merge" and then you lost the goal of this effort: bring standardization.

I think we can go-ahead with all the other steps, but the step 6 might stay on "merge commits".

Two things:

• As mentioned previously, we must double-check that the "force push" removal only applies to main branches. (e.g on a dev branch you force push most of the time)
• For step 7: Require status checks to pass — CI must succeed before merge, it's currently blocked by: FOSSA integration makes CI to fail #1726

Sounds good to me - happy to go with merge commits as the standard if that’s where consensus is landing 😄

One thing I’d like to ask though: how should we handle PRs from external contributors who might not have a clean commit history? In those cases, enforcing merge commits could result in messier history unless maintainers step in to help clean things up. Would we want to document a guideline for that, or just leave it to maintainer discretion?

Also, totally agree on the CI checks. If something like the FOSSA issue is blocking progress, I think it’s perfectly reasonable to temporarily disable the requirement per repo or allow bypassing it for a limited time - just as long as it’s tracked and revisited.

[t-lo]

Discussion in May 14 office hours:

• this might create transient breakage in some automation that uses hard-wired branch names
• changes should be made using terraform / opentofu so it's reproducible and can be reviewed, iterated on by multiple engineers
• Capture a summary in the comments here

Lazy consensus: if there's no push-back 'til the Dev Sync (May 28), implement.

[John15321]

Hi guys! Thank you all for adding to this conversation. After some discussion the rules below, I would call the consensus. As Thilo mentioned, if there is no opposition, we would start implementing them soon. This is the same as the initial ruleset in the issue description but edited to reflect changes that we have discussed (please double check me if there is a mistake):

---

1. Default branch

• Set the default branch to main (or master).
  Most modern tools default to main, so choosing main simplifies integrations.

---

2. Pull-Request settings

• Allow Merge Commits only
• ~~Allow squash merging only
  Disallow “Merge commits” and “Rebase merging.” Squash merging produces a single commit per PR on the default branch, yielding a clean, linear history. The commit message defaults to the PR title + description, and the squash commit links back to the PR for traceability.~~
• “Suggest updating branch”
  Encourages contributors to rebase their branch onto the latest default-branch changes. (You can later require branches to be up to date.)
• ~~Enable auto-merge once all requirements are met (approvals, CI).~~
• Automatically delete head branches after merge to keep the branch list tidy.

---

3. Branch ruleset for the default branch

Create a ruleset targeting your default branch.

---

4. Bypass permissions

Maintainer-level teams should be granted “bypass” privileges so they can override rules when necessary.

---

5. Target branches

Set the rule’s target to your default branch (e.g. main).

---

6. Individual rules

EDIT: drop "Require branches to be up to date before merging"

1. Restrict deletions — prevent accidental branch deletion (default ON).
2. ~~Require linear history — forces contributors to rebase before merging.~~
3. Require review from Code Owners
   • Ensures designated owners sign off on changes.
   • Discussion: flatcar/Flatcar #1665
   • Learn about CODEOWNERS: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
4. Require approval of the most recent reviewable push — guarantees the final approved commit is what gets merged.
5. Require conversation resolution before merging — ensures all review comments are addressed.
6. Allowed merge methods: Merge Commit ~~Allowed merge methods: Squash~~
7. Require status checks to pass — CI must succeed before merge.
8. ~~Require branches to be up to date before merging — enforces rebasing onto the latest default branch~~
9. Block force pushes — (optional; default ON; open for discussion).
10. Require code-scanning results — integrate your chosen code-scanning tool on every repo.

---

After we agree on the ruleset we will start the implementation by letting maintainers of given repos start the process and be able to adapt both the ruleset and the repositories to the new rules.

Later we will update and reorganize the contribution guidelines to reflect the new changes.

Thank you all!

[jepio]

Could you drop 7. The artificial semi-linear history distorts the actual reality of how development happened and forcing rebases causes churn on all PR that are in flight. We mostly have PRs that are independent but we have a lot of them that are in-flight at the same time. This requirement is not appropriate for Flatcar (or any project really).

[chewi]

While I'm not too bothered about the effect of 7 on the history, it is true that this creates a painful churn when combined with 6, especially when our CI takes so long and can be flaky. I've seen this happen a lot in my previous work.

[John15321]

Got it, I wasnt sure about that point from our conversation, thanks for pointing that out 😄, its deleted now (I know the numbering slightly changed).

Anything else?

[tormath1]

Now enabled on Mantle.

A few notes:

• require review from codeowner is not set as there is no CODEOWNERS file at the moment
• require status checks to pass: it's not super intuitive to set, you need to type the name of the workflow (I was expecting checks to be listed by default)
• require code scanning result: you need to enable default CodeQL from here https://github.com/flatcar/${REPO}/security/code-scanning

[John15321]

PR and Branching rules tracking

See Governance for governance, commit, and vote guidelines as well as maintainer responsibilities. Everybody listed in this file is a maintainer as per governance definition.

Repositories

• Thilo Fromm :
  • Flatcar
    • [x] Default branch set to main
    • [ ] "Suggest updating branch" set
    • [ ] Automatically delete head branches after merge to keep the branch list tidy.
    • [ ] Create a ruleset for default (main) branch:
      • [ ] Allow merge commits only
      • [ ] Allow for flatcar-maintainers to bypass restrictions
      • [ ] Require review from Code Owners
      • [ ] Require approval of the most recent reviewable push
      • [ ] Require conversation resolution before merging
      • [ ] Require status checks to pass (CI checks)
      • [ ] Block force pushes
      • [ ] Require code-scanning results
    • Notes:
• Kai Lüke , Gabriel Samfira , Thilo Fromm , Krzesimir Nowak , Adrian Vladu , Dongsu Park , Mathieu Tortuyaux , Sayan Chowdhury , Jeremi Piotrowski , James Le Cuirot :
  • scripts
    • [x] Default branch set to main
    • [ ] "Suggest updating branch" set
    • [ ] Automatically delete head branches after merge to keep the branch list tidy.
    • [ ] Create a ruleset for default (main) branch:
      • [ ] Allow merge commits only
      • [ ] Allow for flatcar-maintainers to bypass restrictions
      • [ ] Require review from Code Owners
      • [ ] Require approval of the most recent reviewable push
      • [ ] Require conversation resolution before merging
      • [ ] Require status checks to pass (CI checks)
      • [ ] Block force pushes
      • [ ] Require code-scanning results
    • Notes:
• Ervin Racz :
  • nebraska
    • [x] Default branch set to main
    • [x] "Suggest updating branch" set
    • [x] Automatically delete head branches after merge to keep the branch list tidy.
    • [x] Create a ruleset for default (main) branch:
      • [x] Allow merge commits only
      • [x] Allow for flatcar-maintainers to bypass restrictions
      • [ ] Require review from Code Owners
      • [x] Require approval of the most recent reviewable push
      • [x] Require conversation resolution before merging
      • [x] Require status checks to pass (CI checks)
      • [x] Block force pushes
      • [x] Require code-scanning results
    • Notes:
• Kai Lüke , Thilo Fromm , Mathieu Tortuyaux :
  • flatcar-website
    • [x] Default branch set to main
    • [x] "Suggest updating branch" set
    • [x] Automatically delete head branches after merge to keep the branch list tidy.
    • [x] Create a ruleset for default (main) branch:
      • [x] Allow merge commits only
      • [x] Allow for flatcar-maintainers to bypass restrictions
      • [ ] Require review from Code Owners
      • [x] Require approval of the most recent reviewable push
      • [x] Require conversation resolution before merging
      • [x] Require status checks to pass (CI checks)
      • [x] Block force pushes
      • [x] Require code-scanning results
    • Notes:
• Mathieu Tortuyaux :
  • mantle
    • [x] Default branch set to main
    • [x] "Suggest updating branch" set
    • [x] Automatically delete head branches after merge to keep the branch list tidy.
    • [x] Create a ruleset for default (main) branch:
      • [x] Allow merge commits only
      • [x] Allow for flatcar-maintainers to bypass restrictions
      • [ ] Require review from Code Owners
      • [x] Require approval of the most recent reviewable push
      • [x] Require conversation resolution before merging
      • [x] Require status checks to pass (CI checks)
      • [x] Block force pushes
      • [x] Require code-scanning results
    • Notes:
• Mathieu Tortuyaux :
  • locksmith
    • [ ] Default branch set to main
    • [ ] "Suggest updating branch" set
    • [ ] Automatically delete head branches after merge to keep the branch list tidy.
    • [ ] Create a ruleset for default (main) branch:
      • [ ] Allow merge commits only
      • [ ] Allow for flatcar-maintainers to bypass restrictions
      • [ ] Require review from Code Owners
      • [ ] Require approval of the most recent reviewable push
      • [ ] Require conversation resolution before merging
      • [ ] Require status checks to pass (CI checks)
      • [ ] Block force pushes
      • [ ] Require code-scanning results
    • Notes:
• Kai Lüke , Dongsu Park :
  • update_engine
    • [x] Default branch set to main
    • [x] "Suggest updating branch" set
    • [x] Automatically delete head branches after merge to keep the branch list tidy.
    • [x] Create a ruleset for default (main) branch:
      • [x] Allow merge commits only
      • [x] Allow for flatcar-maintainers to bypass restrictions
      • [x] Require review from Code Owners
      • [x] Require approval of the most recent reviewable push
      • [x] Require conversation resolution before merging
      • [x] Require status checks to pass (CI checks)
      • [x] Block force pushes
      • [x] Require code-scanning results
    • Notes:
• Kai Lüke , Dongsu Park :
  • ue-rs
    • [x] Default branch set to main
    • [x] "Suggest updating branch" set
    • [x] Automatically delete head branches after merge to keep the branch list tidy.
    • [x] Create a ruleset for default (main) branch:
      • [x] Allow merge commits only
      • [x] Allow for flatcar-maintainers to bypass restrictions
      • [x] Require review from Code Owners
      • [x] Require approval of the most recent reviewable push
      • [x] Require conversation resolution before merging
      • [x] Require status checks to pass (CI checks)
      • [x] Block force pushes
      • [x] Require code-scanning results
    • Notes:
• Mateusz Gozdek :
  • flatcar-linux-update-operator
    • [ ] Default branch set to main
    • [ ] "Suggest updating branch" set
    • [ ] Automatically delete head branches after merge to keep the branch list tidy.
    • [ ] Create a ruleset for default (main) branch:
      • [ ] Allow merge commits only
      • [ ] Allow for flatcar-maintainers to bypass restrictions
      • [ ] Require review from Code Owners
      • [ ] Require approval of the most recent reviewable push
      • [ ] Require conversation resolution before merging
      • [ ] Require status checks to pass (CI checks)
      • [ ] Block force pushes
      • [ ] Require code-scanning results
    • Notes:
• Kai Lüke :
  • init
    • [ ] Default branch set to main
    • [ ] "Suggest updating branch" set
    • [ ] Automatically delete head branches after merge to keep the branch list tidy.
    • [ ] Create a ruleset for default (main) branch:
      • [ ] Allow merge commits only
      • [ ] Allow for flatcar-maintainers to bypass restrictions
      • [ ] Require review from Code Owners
      • [ ] Require approval of the most recent reviewable push
      • [ ] Require conversation resolution before merging
      • [ ] Require status checks to pass (CI checks)
      • [ ] Block force pushes
      • [ ] Require code-scanning results
    • Notes:
• Kai Lüke , James Le Cuirot :
  • bootengine
    • [ ] Default branch set to main
    • [ ] "Suggest updating branch" set
    • [ ] Automatically delete head branches after merge to keep the branch list tidy.
    • [ ] Create a ruleset for default (main) branch:
      • [ ] Allow merge commits only
      • [ ] Allow for flatcar-maintainers to bypass restrictions
      • [ ] Require review from Code Owners
      • [ ] Require approval of the most recent reviewable push
      • [ ] Require conversation resolution before merging
      • [ ] Require status checks to pass (CI checks)
      • [ ] Block force pushes
      • [ ] Require code-scanning results
    • Notes:
• Jeremi Piotrowski :
  • container-linux-config-transpiler
    • [ ] Default branch set to main
    • [ ] "Suggest updating branch" set
    • [ ] Automatically delete head branches after merge to keep the branch list tidy.
    • [ ] Create a ruleset for default (main) branch:
      • [ ] Allow merge commits only
      • [ ] Allow for flatcar-maintainers to bypass restrictions
      • [ ] Require review from Code Owners
      • [ ] Require approval of the most recent reviewable push
      • [ ] Require conversation resolution before merging
      • [ ] Require status checks to pass (CI checks)
      • [ ] Block force pushes
      • [ ] Require code-scanning results
    • Notes:
• Mathieu Tortuyaux :
  • ign-converter
    • [x] Default branch set to main
    • [ ] "Suggest updating branch" set
    • [ ] Automatically delete head branches after merge to keep the branch list tidy.
    • [ ] Create a ruleset for default (main) branch:
      • [ ] Allow merge commits only
      • [ ] Allow for flatcar-maintainers to bypass restrictions
      • [ ] Require review from Code Owners
      • [ ] Require approval of the most recent reviewable push
      • [ ] Require conversation resolution before merging
      • [ ] Require status checks to pass (CI checks)
      • [ ] Block force pushes
      • [ ] Require code-scanning results
    • Notes:
• Kai Lüke :
  • baselayout
    • [ ] Default branch set to main
    • [ ] "Suggest updating branch" set
    • [ ] Automatically delete head branches after merge to keep the branch list tidy.
    • [ ] Create a ruleset for default (main) branch:
      • [ ] Allow merge commits only
      • [ ] Allow for flatcar-maintainers to bypass restrictions
      • [ ] Require review from Code Owners
      • [ ] Require approval of the most recent reviewable push
      • [ ] Require conversation resolution before merging
      • [ ] Require status checks to pass (CI checks)
      • [ ] Block force pushes
      • [ ] Require code-scanning results
    • Notes:
• Kai Lüke :
  • sysext-bakery
    • [x] Default branch set to main
    • [ ] "Suggest updating branch" set
    • [ ] Automatically delete head branches after merge to keep the branch list tidy.
    • [ ] Create a ruleset for default (main) branch:
      • [ ] Allow merge commits only
      • [ ] Allow for flatcar-maintainers to bypass restrictions
      • [ ] Require review from Code Owners
      • [ ] Require approval of the most recent reviewable push
      • [ ] Require conversation resolution before merging
      • [ ] Require status checks to pass (CI checks)
      • [ ] Block force pushes
      • [ ] Require code-scanning results
    • Notes:
• Mathieu Tortuyaux :
  • flatcar-tutorial
    • [x] Default branch set to main
    • [ ] "Suggest updating branch" set
    • [ ] Automatically delete head branches after merge to keep the branch list tidy.
    • [ ] Create a ruleset for default (main) branch:
      • [ ] Allow merge commits only
      • [ ] Allow for flatcar-maintainers to bypass restrictions
      • [ ] Require review from Code Owners
      • [ ] Require approval of the most recent reviewable push
      • [ ] Require conversation resolution before merging
      • [ ] Require status checks to pass (CI checks)
      • [ ] Block force pushes
      • [ ] Require code-scanning results
    • Notes:
• Jan Bronicki :
  • flatcar-app-minecraft
    • [x] Default branch set to main
    • [x] "Suggest updating branch" set
    • [x] Automatically delete head branches after merge to keep the branch list tidy.
    • [x] Create a ruleset for default (main) branch:
      • [x] Allow merge commits only
      • [x] Allow for flatcar-maintainers to bypass restrictions
      • [x] Require review from Code Owners
      • [x] Require approval of the most recent reviewable push
      • [x] Require conversation resolution before merging
      • [x] Require status checks to pass (CI checks)
      • [x] Block force pushes
      • [x] Require code-scanning results
    • Notes:

Repos without maintainers

• reports
  • [x] Default branch set to main
  • [x] "Suggest updating branch" set
  • [x] Automatically delete head branches after merge to keep the branch list tidy.
  • [x] Create a ruleset for default (main) branch:
    • [x] Allow merge commits only
    • [x] Allow for flatcar-maintainers to bypass restrictions
    • [ ] Require review from Code Owners
    • [x] Require approval of the most recent reviewable push
    • [x] Require conversation resolution before merging
    • [x] Require status checks to pass (CI checks)
    • [x] Block force pushes
    • [x] Require code-scanning results
  • Notes:
• flatcar-demos
  • [x] Default branch set to main
  • [x] "Suggest updating branch" set
  • [x] Automatically delete head branches after merge to keep the branch list tidy.
  • [ ] Create a ruleset for default (main) branch:
    • [x] Allow merge commits only
    • [x] Allow for flatcar-maintainers to bypass restrictions
    • [ ] Require review from Code Owners
    • [x] Require approval of the most recent reviewable push
    • [x] Require conversation resolution before merging
    • [ ] Require status checks to pass (CI checks)
    • [x] Block force pushes
    • [x] Require code-scanning results
  • Notes:
• flatcar-app-jitsi
  • [x] Default branch set to main
  • [x] "Suggest updating branch" set
  • [x] Automatically delete head branches after merge to keep the branch list tidy.
  • [ ] Create a ruleset for default (main) branch:
    • [x] Allow merge commits only
    • [x] Allow for flatcar-maintainers to bypass restrictions
    • [ ] Require review from Code Owners
    • [x] Require approval of the most recent reviewable push
    • [x] Require conversation resolution before merging
    • [x] Require status checks to pass (CI checks)
    • [x] Block force pushes
    • [x] Require code-scanning results
  • Notes:
• flatcar-build-scripts
  • [x] Default branch set to main
  • [x] "Suggest updating branch" set
  • [x] Automatically delete head branches after merge to keep the branch list tidy.
  • [ ] Create a ruleset for default (main) branch:
    • [x] Allow merge commits only
    • [x] Allow for flatcar-maintainers to bypass restrictions
    • [ ] Require review from Code Owners
    • [x] Require approval of the most recent reviewable push
    • [x] Require conversation resolution before merging
    • [ ] Require status checks to pass (CI checks)
    • [x] Block force pushes
    • [x] Require code-scanning results
  • Notes:
• torcx
  • [x] Default branch set to main
  • [x] "Suggest updating branch" set
  • [x] Automatically delete head branches after merge to keep the branch list tidy.
  • [ ] Create a ruleset for default (main) branch:
    • [x] Allow merge commits only
    • [x] Allow for flatcar-maintainers to bypass restrictions
    • [ ] Require review from Code Owners
    • [x] Require approval of the most recent reviewable push
    • [x] Require conversation resolution before merging
    • [x] Require status checks to pass (CI checks)
    • [x] Block force pushes
    • [x] Require code-scanning results
  • Notes:
• azure-vhd-utils
  • [x] Default branch set to main
  • [x] "Suggest updating branch" set
  • [x] Automatically delete head branches after merge to keep the branch list tidy.
  • [x] Create a ruleset for default (main) branch:
    • [x] Allow merge commits only
    • [x] Allow for flatcar-maintainers to bypass restrictions
    • [x] Require review from Code Owners
    • [x] Require approval of the most recent reviewable push
    • [x] Require conversation resolution before merging
    • [x] Require status checks to pass (CI checks)
    • [x] Block force pushes
    • [x] Require code-scanning results
  • Notes:
• flatcar-mastodon
  • [x] Default branch set to main
  • [x] "Suggest updating branch" set
  • [x] Automatically delete head branches after merge to keep the branch list tidy.
  • [ ] Create a ruleset for default (main) branch:
    • [x] Allow merge commits only
    • [x] Allow for flatcar-maintainers to bypass restrictions
    • [ ] Require review from Code Owners
    • [x] Require approval of the most recent reviewable push
    • [x] Require conversation resolution before merging
    • [x] Require status checks to pass (CI checks)
    • [x] Block force pushes
    • [x] Require code-scanning results
  • Notes:
• flatcar-automation
  • [x] Default branch set to main
  • [x] "Suggest updating branch" set
  • [x] Automatically delete head branches after merge to keep the branch list tidy.
  • [x] Create a ruleset for default (main) branch:
    • [x] Allow merge commits only
    • [x] Allow for flatcar-maintainers to bypass restrictions
    • [ ] Require review from Code Owners
    • [x] Require approval of the most recent reviewable push
    • [x] Require conversation resolution before merging
    • [x] Require status checks to pass (CI checks)
    • [x] Block force pushes
    • [x] Require code-scanning results
  • Notes:
• flatcar-packer-qemu
  • [x] Default branch set to main
  • [x] "Suggest updating branch" set
  • [x] Automatically delete head branches after merge to keep the branch list tidy.
  • [ ] Create a ruleset for default (main) branch:
    • [x] Allow merge commits only
    • [x] Allow for flatcar-maintainers to bypass restrictions
    • [ ] Require review from Code Owners
    • [x] Require approval of the most recent reviewable push
    • [x] Require conversation resolution before merging
    • [ ] Require status checks to pass (CI checks)
    • [x] Block force pushes
    • [x] Require code-scanning results
  • Notes:
• terraform-gcp-flatcar
  • [x] Default branch set to main
  • [x] "Suggest updating branch" set
  • [x] Automatically delete head branches after merge to keep the branch list tidy.
  • [ ] Create a ruleset for default (main) branch:
    • [x] Allow merge commits only
    • [x] Allow for flatcar-maintainers to bypass restrictions
    • [ ] Require review from Code Owners
    • [x] Require approval of the most recent reviewable push
    • [x] Require conversation resolution before merging
    • [ ] Require status checks to pass (CI checks)
    • [x] Block force pushes
    • [x] Require code-scanning results
  • Notes:
• flatcar-release-mirror
  • [x] Default branch set to main
  • [x] "Suggest updating branch" set
  • [x] Automatically delete head branches after merge to keep the branch list tidy.
  • [ ] Create a ruleset for default (main) branch:
    • [x] Allow merge commits only
    • [x] Allow for flatcar-maintainers to bypass restrictions
    • [ ] Require review from Code Owners
    • [x] Require approval of the most recent reviewable push
    • [x] Require conversation resolution before merging
    • [ ] Require status checks to pass (CI checks)
    • [x] Block force pushes
    • [x] Require code-scanning results
  • Notes:
• mayday
  • [x] Default branch set to main
  • [x] "Suggest updating branch" set
  • [x] Automatically delete head branches after merge to keep the branch list tidy.
  • [ ] Create a ruleset for default (main) branch:
    • [x] Allow merge commits only
    • [x] Allow for flatcar-maintainers to bypass restrictions
    • [ ] Require review from Code Owners
    • [x] Require approval of the most recent reviewable push
    • [x] Require conversation resolution before merging
    • [ ] Require status checks to pass (CI checks)
    • [x] Block force pushes
    • [x] Require code-scanning results
  • Notes:
• flatcar-cloud-image-uploader
  • [x] Default branch set to main
  • [x] "Suggest updating branch" set
  • [x] Automatically delete head branches after merge to keep the branch list tidy.
  • [ ] Create a ruleset for default (main) branch:
    • [x] Allow merge commits only
    • [x] Allow for flatcar-maintainers to bypass restrictions
    • [ ] Require review from Code Owners
    • [x] Require approval of the most recent reviewable push
    • [x] Require conversation resolution before merging
    • [ ] Require status checks to pass (CI checks)
    • [x] Block force pushes
    • [x] Require code-scanning results
  • Notes:
• updateservicectl
  • [x] Default branch set to main
  • [x] "Suggest updating branch" set
  • [x] Automatically delete head branches after merge to keep the branch list tidy.
  • [ ] Create a ruleset for default (main) branch:
    • [x] Allow merge commits only
    • [x] Allow for flatcar-maintainers to bypass restrictions
    • [ ] Require review from Code Owners
    • [x] Require approval of the most recent reviewable push
    • [x] Require conversation resolution before merging
    • [ ] Require status checks to pass (CI checks)
    • [x] Block force pushes
    • [x] Require code-scanning results
  • Notes:
• flatcar-template-project
  • [x] Default branch set to main
  • [x] "Suggest updating branch" set
  • [x] Automatically delete head branches after merge to keep the branch list tidy.
  • [x] Create a ruleset for default (main) branch:
    • [x] Allow merge commits only
    • [x] Allow for flatcar-maintainers to bypass restrictions
    • [x] Require review from Code Owners
    • [x] Require approval of the most recent reviewable push
    • [x] Require conversation resolution before merging
    • [x] Require status checks to pass (CI checks)
    • [x] Block force pushes
    • [x] Require code-scanning results
  • Notes: No CI thus the check cannot be set
• lerobot
  • [x] Default branch set to main
  • [x] "Suggest updating branch" set
  • [x] Automatically delete head branches after merge to keep the branch list tidy.
  • [ ] Create a ruleset for default (main) branch:
    • [x] Allow merge commits only
    • [x] Allow for flatcar-maintainers to bypass restrictions
    • [ ] Require review from Code Owners
    • [x] Require approval of the most recent reviewable push
    • [x] Require conversation resolution before merging
    • [ ] Require status checks to pass (CI checks)
    • [x] Block force pushes
    • [x] Require code-scanning results
  • Notes:
• flatcar-ipxe-scripts
  • [x] Default branch set to main
  • [x] "Suggest updating branch" set
  • [x] Automatically delete head branches after merge to keep the branch list tidy.
  • [x] Create a ruleset for default (main) branch:
    • [x] Allow merge commits only
    • [x] Allow for flatcar-maintainers to bypass restrictions
    • [ ] Require review from Code Owners
    • [x] Require approval of the most recent reviewable push
    • [x] Require conversation resolution before merging
    • [x] Require status checks to pass (CI checks)
    • [x] Block force pushes
    • [x] Require code-scanning results
  • Notes:
• flatcar-terraform
  • [x] Default branch set to main
  • [x] "Suggest updating branch" set
  • [x] Automatically delete head branches after merge to keep the branch list tidy.
  • [ ] Create a ruleset for default (main) branch:
    • [x] Allow merge commits only
    • [x] Allow for flatcar-maintainers to bypass restrictions
    • [ ] Require review from Code Owners
    • [x] Require approval of the most recent reviewable push
    • [x] Require conversation resolution before merging
    • [ ] Require status checks to pass (CI checks)
    • [x] Block force pushes
    • [x] Require code-scanning results
  • Notes:
• sdnotify-proxy
  • [x] Default branch set to main
  • [x] "Suggest updating branch" set
  • [x] Automatically delete head branches after merge to keep the branch list tidy.
  • [ ] Create a ruleset for default (main) branch:
    • [x] Allow merge commits only
    • [x] Allow for flatcar-maintainers to bypass restrictions
    • [ ] Require review from Code Owners
    • [x] Require approval of the most recent reviewable push
    • [x] Require conversation resolution before merging
    • [ ] Require status checks to pass (CI checks)
    • [x] Block force pushes
    • [x] Require code-scanning results
  • Notes:
• go-omaha
  • [x] Default branch set to main
  • [x] "Suggest updating branch" set
  • [x] Automatically delete head branches after merge to keep the branch list tidy.
  • [x] Create a ruleset for default (main) branch:
    • [x] Allow merge commits only
    • [x] Allow for flatcar-maintainers to bypass restrictions
    • [x] Require review from Code Owners
    • [x] Require approval of the most recent reviewable push
    • [x] Require conversation resolution before merging
    • [x] Require status checks to pass (CI checks)
    • [x] Block force pushes
    • [x] Require code-scanning results
  • Notes:
• seismograph
  • [x] Default branch set to main
  • [x] "Suggest updating branch" set
  • [x] Automatically delete head branches after merge to keep the branch list tidy.
  • [ ] Create a ruleset for default (main) branch:
    • [x] Allow merge commits only
    • [x] Allow for flatcar-maintainers to bypass restrictions
    • [ ] Require review from Code Owners
    • [x] Require approval of the most recent reviewable push
    • [x] Require conversation resolution before merging
    • [ ] Require status checks to pass (CI checks)
    • [x] Block force pushes
    • [x] Require code-scanning results
  • Notes:
• coreos-cloudinit
  • [x] Default branch set to main
  • [x] "Suggest updating branch" set
  • [x] Automatically delete head branches after merge to keep the branch list tidy.
  • [ ] Create a ruleset for default (main) branch:
    • [x] Allow merge commits only
    • [x] Allow for flatcar-maintainers to bypass restrictions
    • [ ] Require review from Code Owners
    • [x] Require approval of the most recent reviewable push
    • [x] Require conversation resolution before merging
    • [ ] Require status checks to pass (CI checks)
    • [x] Block force pushes
    • [x] Require code-scanning results
  • Notes:
• toolbox
  • [x] Default branch set to main
  • [x] "Suggest updating branch" set
  • [x] Automatically delete head branches after merge to keep the branch list tidy.
  • [x] Create a ruleset for default (main) branch:
    • [x] Allow merge commits only
    • [x] Allow for flatcar-maintainers to bypass restrictions
    • [ ] Require review from Code Owners
    • [x] Require approval of the most recent reviewable push
    • [x] Require conversation resolution before merging
    • [x] Require status checks to pass (CI checks) - NO CI
    • [x] Block force pushes
    • [x] Require code-scanning results
  • Notes: NO CI
• .github
  • [x] Default branch set to main
  • [x] "Suggest updating branch" set
  • [x] Automatically delete head branches after merge to keep the branch list tidy.
  • [x] Create a ruleset for default (main) branch:
    • [x] Allow merge commits only
    • [x] Allow for flatcar-maintainers to bypass restrictions
    • [ ] Require review from Code Owners
    • [x] Require approval of the most recent reviewable push
    • [x] Require conversation resolution before merging
    • [x] Require status checks to pass (CI checks)
    • [x] Block force pushes
    • [x] Require code-scanning results
  • Notes: No CI, no CODEOWNERS file
• fleetlock
  • [x] Default branch set to main
  • [x] "Suggest updating branch" set
  • [x] Automatically delete head branches after merge to keep the branch list tidy.
  • [x] Create a ruleset for default (main) branch:
    • [x] Allow merge commits only
    • [x] Allow for flatcar-maintainers to bypass restrictions
    • [x] Require review from Code Owners
    • [x] Require approval of the most recent reviewable push
    • [x] Require conversation resolution before merging
    • [x] Require status checks to pass (CI checks)
    • [x] Block force pushes
    • [x] Require code-scanning results
  • Notes:
• flog
  • [x] Default branch set to main
  • [x] "Suggest updating branch" set
  • [x] Automatically delete head branches after merge to keep the branch list tidy.
  • [x] Create a ruleset for default (main) branch:
    • [x] Allow merge commits only
    • [x] Allow for flatcar-maintainers to bypass restrictions
    • [ ] Require review from Code Owners
    • [x] Require approval of the most recent reviewable push
    • [x] Require conversation resolution before merging
    • [x] Require status checks to pass (CI checks)
    • [x] Block force pushes
    • [x] Require code-scanning results
  • Notes: No CI, no CODEOWNERS file
• ignition
  • [x] Default branch set to main
  • [x] "Suggest updating branch" set
  • [x] Automatically delete head branches after merge to keep the branch list tidy.
  • [ ] Create a ruleset for default (main) branch:
    • [x] Allow merge commits only
    • [x] Allow for flatcar-maintainers to bypass restrictions
    • [ ] Require review from Code Owners
    • [x] Require approval of the most recent reviewable push
    • [x] Require conversation resolution before merging
    • [ ] Require status checks to pass (CI checks)
    • [x] Block force pushes
    • [x] Require code-scanning results
  • Notes:
• nebraska-update-agent
  • [x] Default branch set to main
  • [x] "Suggest updating branch" set
  • [x] Automatically delete head branches after merge to keep the branch list tidy.
  • [x] Create a ruleset for default (main) branch:
    • [x] Allow merge commits only
    • [x] Allow for flatcar-maintainers to bypass restrictions
    • [ ] Require review from Code Owners
    • [x] Require approval of the most recent reviewable push
    • [x] Require conversation resolution before merging
    • [x] Require status checks to pass (CI checks)
    • [x] Block force pushes
    • [x] Require code-scanning results
  • Notes: No CI thus no CI checks, also no CODEOWNERS file
• shim-review
  • [x] Default branch set to main
  • [x] "Suggest updating branch" set
  • [x] Automatically delete head branches after merge to keep the branch list tidy.
  • [x] Create a ruleset for default (main) branch:
    • [x] Allow merge commits only
    • [x] Allow for flatcar-maintainers to bypass restrictions
    • [x] Require review from Code Owners
    • [x] Require approval of the most recent reviewable push
    • [x] Require conversation resolution before merging
    • [x] Require status checks to pass (CI checks)
    • [x] Block force pushes
    • [x] Require code-scanning results
  • Notes:
• sysroot-wrappers
  • [x] Default branch set to main
  • [x] "Suggest updating branch" set
  • [x] Automatically delete head branches after merge to keep the branch list tidy.
  • [ ] Create a ruleset for default (main) branch:
    • [x] Allow merge commits only
    • [x] Allow for flatcar-maintainers to bypass restrictions
    • [ ] Require review from Code Owners
    • [x] Require approval of the most recent reviewable push
    • [x] Require conversation resolution before merging
    • [x] Require status checks to pass (CI checks) - NO CI
    • [x] Block force pushes
    • [x] Require code-scanning results
  • Notes: No CODEOWNERS file, No CI
• update-ssh-keys
  • [x] Default branch set to main
  • [x] "Suggest updating branch" set
  • [x] Automatically delete head branches after merge to keep the branch list tidy.
  • [ ] Create a ruleset for default (main) branch:
    • [x] Allow merge commits only
    • [x] Allow for flatcar-maintainers to bypass restrictions
    • [ ] Require review from Code Owners
    • [x] Require approval of the most recent reviewable push
    • [x] Require conversation resolution before merging
    • [x] Require status checks to pass (CI checks)
    • [x] Block force pushes
    • [x] Require code-scanning results
  • Notes: No CODEOWNERS file
• flatcar-dev-util
  • [x] Default branch set to main
  • [x] "Suggest updating branch" set
  • [x] Automatically delete head branches after merge to keep the branch list tidy.
  • [x] Create a ruleset for default (main) branch:
    • [x] Allow merge commits only
    • [x] Allow for flatcar-maintainers to bypass restrictions
    • [ ] Require review from Code Owners
    • [x] Require approval of the most recent reviewable push
    • [x] Require conversation resolution before merging
    • [ ] Require status checks to pass (CI checks)
    • [x] Block force pushes
    • [x] Require code-scanning results
  • Notes: No CI, no CODEOWNERS file
• nss-altfiles
  • [x] Default branch set to main
  • [x] "Suggest updating branch" set
  • [x] Automatically delete head branches after merge to keep the branch list tidy.
  • [x] Create a ruleset for default (main) branch:
    • [x] Allow merge commits only
    • [x] Allow for flatcar-maintainers to bypass restrictions
    • [ ] Require review from Code Owners
    • [x] Require approval of the most recent reviewable push
    • [x] Require conversation resolution before merging
    • [ ] Require status checks to pass (CI checks)
    • [x] Block force pushes
    • [x] Require code-scanning results
  • Notes: No CI, no CODEOWNERS file
• cluster-api-bootstrap-provider-kubeadm-ignition
  • [x] Default branch set to main
  • [ ] "Suggest updating branch" set
  • [ ] Automatically delete head branches after merge to keep the branch list tidy.
  • [ ] Create a ruleset for default (main) branch:
    • [ ] Allow merge commits only
    • [ ] Allow for flatcar-maintainers to bypass restrictions
    • [ ] Require review from Code Owners
    • [ ] Require approval of the most recent reviewable push
    • [ ] Require conversation resolution before merging
    • [ ] Require status checks to pass (CI checks)
    • [ ] Block force pushes
    • [ ] Require code-scanning results
  • Notes:

[John15321]

@tormath1 Thanks!

Now enabled on Mantle.

A few notes:

• require review from codeowner is not set as there is no CODEOWNERS file at the moment
• require status checks to pass: it's not super intuitive to set, you need to type the name of the workflow (I was expecting checks to be listed by default)
• require code scanning result: you need to enable default CodeQL from here https://github.com/flatcar/${REPO}/security/code-scanning

I just created a comment to track all the changes in all of the repos (I know its pretty long, maybe there is a better place where we could store it? But at least here anyone can change the checkmark status)

Also not sure if we should tag everyone or not (i commented out the tags for now)

[tormath1]

This is done as well for flatcar-website.

NOTE: It is possible to export a ruleset and to import it. This could be easily integrated to some script I guess.

{
  "name": "main",
  "target": "branch",
  "source_type": "Repository",
  "source": "flatcar/flatcar-website",
  "enforcement": "active",
  "conditions": {
    "ref_name": {
      "exclude": [],
      "include": [
        "~DEFAULT_BRANCH"
      ]
    }
  },
  "rules": [
    {
      "type": "deletion"
    },
    {
      "type": "non_fast_forward"
    },
    {
      "type": "pull_request",
      "parameters": {
        "required_approving_review_count": 1,
        "dismiss_stale_reviews_on_push": false,
        "require_code_owner_review": false,
        "require_last_push_approval": true,
        "required_review_thread_resolution": true,
        "automatic_copilot_code_review_enabled": false,
        "allowed_merge_methods": [
          "merge"
        ]
      }
    },
    {
      "type": "code_scanning",
      "parameters": {
        "code_scanning_tools": [
          {
            "tool": "CodeQL",
            "security_alerts_threshold": "high_or_higher",
            "alerts_threshold": "errors"
          }
        ]
      }
    },
    {
      "type": "required_status_checks",
      "parameters": {
        "strict_required_status_checks_policy": false,
        "do_not_enforce_on_create": false
      }
    }
  ],
  "bypass_actors": [
    {
      "actor_id": ...,
      "actor_type": "Team",
      "bypass_mode": "always"
    }
  ]
}

[John15321]

This is done as well for flatcar-website.

NOTE: It is possible to export a ruleset and to import it. This could be easily integrated to some script I guess.

{ "name": "main", "target": "branch", "source_type": "Repository", ... }

Can confirm it works, thanks!

[dongsupark]

What I realized when enabling the required options in ue-rs.

You can enable all the options in settings at once, except for Require status checks to pass (CI checks). That happens mainly because the status checks require corresponding CI jobs (e.g. "CI" or "build" as configured in GitHub workflow) to be enabled under Status checks that are required. To do that, it is first needed to rename the branch name in GitHub Actions workflows and merge it, like https://github.com/flatcar/ue-rs/pull/66.

Even after having done that, the corresponding CI jobs are not immediately visible in the drop-down menu under Status checks that are required, because at that moment GitHub is not able to recognize CI jobs for the new branch name. In that case you would need to wait for hours until the CI jobs could be visible again. That step is a hard blocker, because it is not possible to set status checks without setting CI jobs.

[John15321]

What I realized when enabling the required options in ue-rs.

You can enable all the options in settings at once, except for Require status checks to pass (CI checks). That happens mainly because the status checks require corresponding CI jobs (e.g. "CI" or "build" as configured in GitHub workflow) to be enabled under Status checks that are required. To do that, it is first needed to rename the branch name in GitHub Actions workflows and merge it, like flatcar/ue-rs#66.

Even after having done that, the corresponding CI jobs are not immediately visible in the drop-down menu under Status checks that are required, because at that moment GitHub is not able to recognize CI jobs for the new branch name. In that case you would need to wait for hours until the CI jobs could be visible again. That step is a hard blocker, because it is not possible to set status checks without setting CI jobs.

Thanks for noting that. I also think the process of getting CI checks right now is super buggy. I recall that years ago it was pretty simple, I think they overengineered some stuff

[John15321]

Hi all,

As part of this issue, I’m starting the process of switching the default branch to main across our Flatcar repositories. For now, I'm beginning with the following:

• [x] flatcar/nss-altfiles
• [x] flatcar/update-ssh-keys
• [x] flatcar/sysroot-wrappers
• [x] flatcar/ignition
  • Looks like the main branch already exists, but hasnt been updated in over 3 years
    • Created a main-backup from the old version of the main branch
• [x] flatcar/toolbox

If anyone is aware of potential problems or automation that may be affected by this change in these repositories, please let me know!
I want to make sure we don’t disrupt anyone’s workflow.

Thanks for your input!

[John15321]

New repositories for main branch update:

• [x] flatcar/coreos-cloudinit
• [x] flatcar/seismograph
• [x] flatcar/sdnotify-proxy
• [ ] flatcar/flatcar-ipxe-scripts
  • NOTE: I cannot rename the main branch, permissions issue. Omitted for now
• [x] flatcar/lerobot

[John15321]

Hey everyone, I’ve just renamed the default branches and merged the PRs for the following repositories:

mayday – https://github.com/flatcar/mayday/pull/16 flatcar-cloud-image-uploader – https://github.com/flatcar/flatcar-cloud-image-uploader/pull/25 flatcar-release-mirror flatcar-packer-qemu However, I don’t have the necessary permissions to rename the default branch in azure-vhd-utils. Could someone with the right access please take care of that?

Let me know if you have any questions or concerns. Thanks!

[sayanchowdhury]

However, I don’t have the necessary permissions to rename the default branch in azure-vhd-utils. Could someone with the right access please take care of that?

@t-lo I guess the access to the repo is not with the maintainers GH group, can you please look into it?

[tormath1]

Some notes for go-omaha:

• when we set a ruleset that uses CodeQL integration, we need to enable this CodeQL integration in the security tab otherwise it does nothing and wait forever for CodeQL result
• in the ruleset again, let's be careful on the name of the CI integration required: it is not user friendly and we can easily select a CI workflow that does not exist in the project (like it was the case for go-omaha)