privacy-in-design/gitea-migration
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8aad4299caf93974030aa87ddeace01b2757437e
gitea-migration/phase7_branch_protection.sh
S 3179390af9 feat: add Phase 7 — Branch Protection 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-26 15:27:14 -06:00

92 lines
3.5 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
set -euo pipefail
# =============================================================================
# phase7_branch_protection.sh — Set up branch protection rules on all repos
# Depends on: Phase 4 complete (repos exist on Gitea primary)
# For each repo:
# 1. Check if protection already exists for the target branch
# 2. Create protection rule with configurable settings from .env
# Settings include: block direct push, optionally require PR reviews.
# Idempotent: skips repos that already have protection on the target branch.
# =============================================================================
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
source "${SCRIPT_DIR}/lib/common.sh"
load_env
require_vars GITEA_ADMIN_TOKEN GITEA_INTERNAL_URL GITEA_ORG_NAME \
REPO_1_NAME REPO_2_NAME REPO_3_NAME \
PROTECTED_BRANCH REQUIRE_PR_REVIEW REQUIRED_APPROVALS
phase_header 7 "Branch Protection"
REPOS=("$REPO_1_NAME" "$REPO_2_NAME" "$REPO_3_NAME")
SUCCESS=0
FAILED=0
for repo in "${REPOS[@]}"; do
log_info "--- Processing repo: ${repo} ---"
# -------------------------------------------------------------------------
# Idempotency: check if branch protection already exists
# The branch_protections endpoint returns the rule if it exists (200)
# or 404 if not. We URL-encode the branch name for safety.
# -------------------------------------------------------------------------
if gitea_api GET "/repos/${GITEA_ORG_NAME}/${repo}/branch_protections/${PROTECTED_BRANCH}" >/dev/null 2>&1; then
log_info "Branch protection for '${PROTECTED_BRANCH}' already exists on ${repo} — skipping"
SUCCESS=$((SUCCESS + 1))
continue
fi
# -------------------------------------------------------------------------
# Create branch protection rule
# Key settings:
# - enable_push=false: blocks direct pushes (must use PRs)
# - enable_status_check=true: required CI checks must pass
# - required_approvals: configurable from .env
# -------------------------------------------------------------------------
log_info "Creating branch protection for '${PROTECTED_BRANCH}' on ${repo}..."
PROTECTION_PAYLOAD=$(jq -n \
--arg branch_name "$PROTECTED_BRANCH" \
--argjson enable_push false \
--argjson enable_push_whitelist false \
--argjson require_signed_commits false \
--argjson enable_status_check true \
--argjson enable_approvals_whitelist "${REQUIRE_PR_REVIEW}" \
--argjson required_approvals "${REQUIRED_APPROVALS}" \
'{
branch_name: $branch_name,
enable_push: $enable_push,
enable_push_whitelist: $enable_push_whitelist,
require_signed_commits: $require_signed_commits,
enable_status_check: $enable_status_check,
enable_approvals_whitelist: $enable_approvals_whitelist,
required_approvals: $required_approvals
}')
if gitea_api POST "/repos/${GITEA_ORG_NAME}/${repo}/branch_protections" "$PROTECTION_PAYLOAD" >/dev/null; then
log_success "Branch protection created for ${repo}"
SUCCESS=$((SUCCESS + 1))
else
log_error "Failed to create branch protection for ${repo}"
FAILED=$((FAILED + 1))
fi
done
# ---------------------------------------------------------------------------
# Summary
# ---------------------------------------------------------------------------
printf '\n'
TOTAL=${#REPOS[@]}
log_info "Results: ${SUCCESS} succeeded, ${FAILED} failed (out of ${TOTAL})"
if [[ $FAILED -gt 0 ]]; then
log_error "Some repos failed — check logs above"
exit 1
fi
log_success "Phase 7 complete — branch protection applied"
Reference in New Issue View Git Blame Copy Permalink