chore(branch-protection): allow actions + moko-deploy bots on protected branches #334

Merged
jmiller merged 1 commits from chore/branch-protection-bot-allowlist into main 2026-07-04 23:23:07 +00:00
Owner

Canonical copy of the org branch-protection provisioner. Adds the automation identities to the rule definitions so release automation can operate on protected branches:

  • all rules: push_whitelist_actions_user: true + moko-deploy in push_whitelist_usernames
  • dev, rc: enable force-push for the bots (enable_force_push, force_push_allowlist_usernames: [jmiller, moko-deploy], force_push_allowlist_actions_user: true) → dev can be reset to main via a single git push --force origin main:dev (delete+recreate can't work on a protected branch)
  • main: force-push stays disabled

Because this provisioner POST-creates rules (not PATCH), it should set push_whitelist_actions_user correctly (the PATCH path silently no-ops — see mcp-mokogitea-api#30).

⚠️ moko-deploy needs org-team write access before it takes effect (mcp-mokogitea-api#30). Unblocks the dev-sync + version-persist fixes in Template-Generic#53. Applied identically to Template-Generic and Template-Joomla.

Canonical copy of the org branch-protection provisioner. Adds the automation identities to the rule definitions so release automation can operate on protected branches: - **all rules**: `push_whitelist_actions_user: true` + `moko-deploy` in `push_whitelist_usernames` - **dev, rc**: enable force-push for the bots (`enable_force_push`, `force_push_allowlist_usernames: [jmiller, moko-deploy]`, `force_push_allowlist_actions_user: true`) → dev can be reset to main via a single `git push --force origin main:dev` (delete+recreate can't work on a protected branch) - **main**: force-push stays disabled Because this provisioner **POST-creates** rules (not PATCH), it should set `push_whitelist_actions_user` correctly (the PATCH path silently no-ops — see mcp-mokogitea-api#30). ⚠️ `moko-deploy` needs org-team **write** access before it takes effect (mcp-mokogitea-api#30). Unblocks the dev-sync + version-persist fixes in Template-Generic#53. Applied identically to Template-Generic and Template-Joomla.
jmiller added 1 commit 2026-07-04 23:22:18 +00:00
chore(branch-protection): allow actions + moko-deploy bots on protected branches
Universal: Pre-Release / Build Pre-Release (${{ inputs.stability || github.ref_name }}) (push) Successful in 19s
Generic: Repo Health / Site Health (pull_request) Has been skipped
Universal: PR Check / Branch Policy (pull_request) Successful in 2s
Generic: Repo Health / Access control (pull_request) Successful in 3s
Universal: PR Check / Validate PR (pull_request) Failing after 10s
Universal: PR Check / Secret Scan (pull_request) Successful in 14s
Universal: Build & Release / Promote to RC (pull_request) Has been skipped
RC Revert / Rename rc/ back to dev/ (pull_request) Has been skipped
Branch Cleanup / Delete merged branch (pull_request) Successful in 3s
Universal: Build & Release / Build & Release Pipeline (pull_request) Successful in 41s
Platform: mokocli CI / Gate 1: Code Quality (pull_request) Successful in 2m0s
Universal: Workflow Sync Trigger / Sync workflows to live repos (pull_request) Failing after 13m47s
Platform: mokocli CI / Gate 2: Unit Tests (8.1) (pull_request) Has been cancelled
Platform: mokocli CI / Gate 2: Unit Tests (8.2) (pull_request) Has been cancelled
Platform: mokocli CI / Gate 2: Unit Tests (8.3) (pull_request) Has been cancelled
Platform: mokocli CI / Gate 3: Self-Health Check (pull_request) Has been cancelled
Platform: mokocli CI / Gate 4: Governance (pull_request) Has been cancelled
Platform: mokocli CI / Gate 5: Template Integrity (pull_request) Has been cancelled
Platform: mokocli CI / CI Summary (pull_request) Has been cancelled
Universal: PR Check / Build RC Package (pull_request) Has been cancelled
Universal: PR Check / Report Issues (pull_request) Has been cancelled
Generic: Repo Health / Scripts governance (pull_request) Has been cancelled
Generic: Repo Health / Repository health (pull_request) Has been cancelled
Generic: Repo Health / Report: Scripts Governance (pull_request) Has been cancelled
Generic: Repo Health / Report: Repository Health (pull_request) Has been cancelled
e99881ad65
Adds the automation identities to the branch-protection rule definitions so
release automation can operate on protected branches:
- all rules: push_whitelist_actions_user=true + moko-deploy in push whitelist
- dev, rc: enable force-push for the bots so dev can be reset to main via a
  single `git push --force origin main:dev` (delete+recreate cannot work on a
  protected branch)
- main keeps force-push disabled

moko-deploy needs org-team write access to take effect (mcp-mokogitea-api#30).
Unblocks the dev-sync + version-persist fixes (Template-Generic#53).

Claude-Session: https://claude.ai/code/session_01WbGBN9VyRK61zczYWcCQ2i
jmiller merged commit b885f12ece into main 2026-07-04 23:23:07 +00:00
jmiller deleted branch chore/branch-protection-bot-allowlist 2026-07-04 23:23:10 +00:00
Sign in to join this conversation.
No Reviewers
No labels
Priority -
Type -
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: MokoConsulting/MokoCLI#334