#!/usr/bin/env bash set -euo pipefail # ============================================================================= # phase7_branch_protection.sh — Set up branch protection rules on all repos # Depends on: Phase 4 complete (repos exist on Gitea primary) # For each repo: # 1. Check if protection already exists for the target branch # 2. Create protection rule with configurable settings from .env # Settings include: block direct push, optionally require PR reviews. # Idempotent: skips repos that already have protection on the target branch. # ============================================================================= SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" source "${SCRIPT_DIR}/lib/common.sh" load_env require_vars GITEA_ADMIN_TOKEN GITEA_INTERNAL_URL GITEA_ORG_NAME \ REPO_NAMES \ PROTECTED_BRANCH REQUIRE_PR_REVIEW REQUIRED_APPROVALS phase_header 7 "Branch Protection" read -ra REPOS <<< "$REPO_NAMES" SUCCESS=0 FAILED=0 for repo in "${REPOS[@]}"; do log_info "--- Processing repo: ${repo} ---" # ------------------------------------------------------------------------- # Idempotency: check if branch protection already exists # The branch_protections endpoint returns the rule if it exists (200) # or 404 if not. We URL-encode the branch name for safety. # ------------------------------------------------------------------------- if gitea_api GET "/repos/${GITEA_ORG_NAME}/${repo}/branch_protections/${PROTECTED_BRANCH}" >/dev/null 2>&1; then log_info "Branch protection for '${PROTECTED_BRANCH}' already exists on ${repo} — skipping" SUCCESS=$((SUCCESS + 1)) continue fi # ------------------------------------------------------------------------- # Create branch protection rule # Key settings: # - enable_push=false: blocks direct pushes (must use PRs) # - enable_status_check=true: required CI checks must pass # - required_approvals: configurable from .env # ------------------------------------------------------------------------- log_info "Creating branch protection for '${PROTECTED_BRANCH}' on ${repo}..." PROTECTION_PAYLOAD=$(jq -n \ --arg branch_name "$PROTECTED_BRANCH" \ --argjson enable_push false \ --argjson enable_push_whitelist false \ --argjson require_signed_commits false \ --argjson enable_status_check true \ --argjson enable_approvals_whitelist "${REQUIRE_PR_REVIEW}" \ --argjson required_approvals "${REQUIRED_APPROVALS}" \ '{ branch_name: $branch_name, enable_push: $enable_push, enable_push_whitelist: $enable_push_whitelist, require_signed_commits: $require_signed_commits, enable_status_check: $enable_status_check, enable_approvals_whitelist: $enable_approvals_whitelist, required_approvals: $required_approvals }') if gitea_api POST "/repos/${GITEA_ORG_NAME}/${repo}/branch_protections" "$PROTECTION_PAYLOAD" >/dev/null; then log_success "Branch protection created for ${repo}" SUCCESS=$((SUCCESS + 1)) else log_error "Failed to create branch protection for ${repo}" FAILED=$((FAILED + 1)) fi done # --------------------------------------------------------------------------- # Summary # --------------------------------------------------------------------------- printf '\n' TOTAL=${#REPOS[@]} log_info "Results: ${SUCCESS} succeeded, ${FAILED} failed (out of ${TOTAL})" if [[ $FAILED -gt 0 ]]; then log_error "Some repos failed — check logs above" exit 1 fi log_success "Phase 7 complete — branch protection applied"