Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GitHub/git protections #655

Open
4 tasks
rgoldberg opened this issue Nov 22, 2024 · 0 comments
Open
4 tasks

GitHub/git protections #655

rgoldberg opened this issue Nov 22, 2024 · 0 comments
Labels
🧽 chore Administrative task: documentation, build, test, release, git, etc.

Comments

@rgoldberg
Copy link
Contributor

rgoldberg commented Nov 22, 2024

Potential GitHub/git commit, branch & tag protections:

Tags

  • Configure & enable tag ruleset
  • Disallow changing version tags.
  • Ensure that each new release tag has one & only one semantic version component that is one greater than some other prior release version, followed by zeros for all subsequent components, with an optional -beta.1 suffix.
    • So, the following version transitions are OK:
      • 5.6.7 -> 6.0.0
      • 5.6.7 -> 5.7.0
      • 5.6.7 -> 5.6.8
      • 5.6.7 -> 5.6.8-beta.1
      • 5.6.7-beta.1 -> 5.6.7-beta.2
    • While the following version transitions are not OK:
      • (no stable 5.* exists) -> 6.0.0
      • (no stable 5.6.* exists) -> 5.7.0
      • (no stable 5.6.7.* exists) -> 5.6.8
      • (no stable 5.6.7.* exists) -> 5.6.8-beta.1
      • (no 5.6.7-beta.1 exists) -> 5.6.7-beta.2
  • Allow creating version tags outside main only if we create patches for legacy versions if newer versions require a newer macOS, in which case we'd:
    • Create a legacy version patch branch rooted on the version-tagged main revision that is being patched.
    • Require that the branch be named following a convention relating it to the version tag.
    • Require that all version tags on the patch branch monotonically increasing patch versions, e.g.:
      • Version tag: v1.8.6
      • Patch branch: b1.8.6 (b for branch), or possibly p1.8.6 (p for patch), or something similar
      • Acceptable patch tags on b1.8.6:
        • v1.8.6.1-alpha.1
        • v1.8.6.1-beta.1
        • v1.8.6.1-beta.2
        • v1.8.6.1
        • v1.8.6.2
      • Rejected tags for p1.8.6:
        • v1.8.5
        • v1.8.7
        • v1.9.0
        • v2.0.0

Commits:

  • Require signed commits?
  • Require commit sign offs?
  • Require Resolve #… in last PR commit message?
  • Require Partial #… in prior PR commit messages?

Done

  • Require signed annotated tags
    • Enforced by .githubs/workflows/tag-pushed.yml.
    • Doesn't use tag.gpgSign.
  • Disallow creating version tags outside main.
@rgoldberg rgoldberg added the 🧽 chore Administrative task: documentation, build, test, release, git, etc. label Nov 22, 2024
@rgoldberg rgoldberg changed the title GitHub branch & tag protections GitHub protections Dec 10, 2024
@rgoldberg rgoldberg changed the title GitHub protections GitHub/git protections Dec 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
🧽 chore Administrative task: documentation, build, test, release, git, etc.
Projects
None yet
Development

No branches or pull requests

1 participant