feat: Repository & Org-level ruleset system (branch protection) #38

New Issue

Closed

opened 2026-05-08 04:46:04 +00:00 by jmiller · 1 comment

jmiller commented 2026-05-08 04:46:04 +00:00

Owner

Copy Link

Copy Source

Advanced protection rules for repository and organization management:

• Org-level branch protection rulesets that cascade to all repos (Phase 1-3 complete)
• Pattern-based rulesets across branches (main, dev, rc/*, beta/*, alpha/*)
• Required status checks with bypass options
• Required reviews with code owners integration
• Signed commit requirements
• File path restrictions
• Full CRUD API at both repo and org level
• Inheritance: repo rules override org rules

Branch: dev/org-branch-protection
Version: 1261.0.0

See comment below for full implementation plan.

Advanced protection rules for repository and organization management: - **Org-level branch protection rulesets** that cascade to all repos (Phase 1-3 complete) - Pattern-based rulesets across branches (`main`, `dev`, `rc/*`, `beta/*`, `alpha/*`) - Required status checks with bypass options - Required reviews with code owners integration - Signed commit requirements - File path restrictions - Full CRUD API at both repo and org level - Inheritance: repo rules override org rules **Branch:** `dev/org-branch-protection` **Version:** 1261.0.0 See comment below for full implementation plan.

jmiller added the type: feature label 2026-05-11 17:08:56 +00:00

jmiller commented 2026-05-12 20:16:54 +00:00

Author

Owner

Copy Link

Copy Source

Full Implementation Plan: Org-Level Branch Protection Rulesets

Status: Phase 1-3 Complete (branch dev/org-branch-protection)

---

Problem

MokoGitea fork has 50+ repos all needing identical branch protection rules (main, dev, rc/*, beta/*, alpha/*). Currently managed per-repo with bulk scripts. Need GitHub-style org-level rulesets that cascade to all repos automatically.

---

Implementation Summary

Phase 1: Data Model + Migration ✅

• New table: org_protected_branch (migration v332)
• Mirrors protected_branch fields but scoped to org_id instead of repo_id
• Uses team-based whitelists only (no per-user IDs at org level)
• Unique constraint: (org_id, rule_name)

Phase 2: API Endpoints ✅

GET    /api/v1/orgs/{org}/branch_protections
POST   /api/v1/orgs/{org}/branch_protections
GET    /api/v1/orgs/{org}/branch_protections/{name}
PATCH  /api/v1/orgs/{org}/branch_protections/{name}
DELETE /api/v1/orgs/{org}/branch_protections/{name}

Auth: reqToken() + reqOrgOwnership()

Phase 3: Inheritance Logic ✅

• Modified GetFirstMatchProtectedBranchRule() to fall back to org rules
• Repo-level rules take full precedence (no field-by-field merge)
• Added inherited_from field to BranchProtection API response

Phase 4: UI (Future)

• Org Settings > Branch Protection tab
• Repo-level UI shows inherited rules as read-only with "Inherited from org" badge

---

Files Created

File	Purpose
models/git/org_protected_branch.go	OrgProtectedBranch model + CRUD + glob matching
models/migrations/v1_27/v332.go	Migration to create org_protected_branch table
modules/structs/org_branch.go	API request/response types
routers/api/v1/org/branch_protection.go	Full CRUD API handlers

Files Modified

File	Change
models/git/protected_branch_list.go	Org rule fallback in GetFirstMatchProtectedBranchRule()
models/migrations/migrations.go	Register migration 332
modules/structs/repo_branch.go	Added InheritedFrom field
routers/api/v1/api.go	Route registration

---

Additional Changes in Same Branch

• Configurable Help/Support URLs: HELP_URL and SUPPORT_URL in app.ini, replacing hardcoded docs.gitea.com in navbar
• Admin visibility: Help/Support URLs shown in Site Admin > Configuration
• Version convention: 1261.xx.xx (1261 = fork starting point from upstream Gitea)

---

Verification Checklist

• Create org rule via API, verify it applies to repos without their own rule
• Verify repo-level rule overrides org rule for same branch pattern
• Verify rule deletion at org level removes protection from all repos
• Run existing branch protection tests to ensure no regressions
• Test glob patterns: rc/*, beta/*, alpha/*

Documentation / Communication

• Update MokoGitea wiki with org branch protection API docs
• Update mokoconsulting.tech website articles with feature announcement
• Add admin guide for configuring HELP_URL and SUPPORT_URL
• Document version numbering convention (1261.xx.xx)

---

Authored by Claude Opus 4.6 — Co-Authored-By: Claude Opus 4.6 (1M context) noreply@anthropic.com

## Full Implementation Plan: Org-Level Branch Protection Rulesets ### Status: Phase 1-3 Complete (branch `dev/org-branch-protection`) --- ### Problem MokoGitea fork has 50+ repos all needing identical branch protection rules (`main`, `dev`, `rc/*`, `beta/*`, `alpha/*`). Currently managed per-repo with bulk scripts. Need GitHub-style org-level rulesets that cascade to all repos automatically. --- ### Implementation Summary #### Phase 1: Data Model + Migration ✅ - **New table:** `org_protected_branch` (migration v332) - Mirrors `protected_branch` fields but scoped to `org_id` instead of `repo_id` - Uses team-based whitelists only (no per-user IDs at org level) - Unique constraint: `(org_id, rule_name)` #### Phase 2: API Endpoints ✅ ``` GET /api/v1/orgs/{org}/branch_protections POST /api/v1/orgs/{org}/branch_protections GET /api/v1/orgs/{org}/branch_protections/{name} PATCH /api/v1/orgs/{org}/branch_protections/{name} DELETE /api/v1/orgs/{org}/branch_protections/{name} ``` Auth: `reqToken()` + `reqOrgOwnership()` #### Phase 3: Inheritance Logic ✅ - Modified `GetFirstMatchProtectedBranchRule()` to fall back to org rules - Repo-level rules take full precedence (no field-by-field merge) - Added `inherited_from` field to `BranchProtection` API response #### Phase 4: UI (Future) - [ ] Org Settings > Branch Protection tab - [ ] Repo-level UI shows inherited rules as read-only with "Inherited from org" badge --- ### Files Created | File | Purpose | |------|--------| | `models/git/org_protected_branch.go` | OrgProtectedBranch model + CRUD + glob matching | | `models/migrations/v1_27/v332.go` | Migration to create `org_protected_branch` table | | `modules/structs/org_branch.go` | API request/response types | | `routers/api/v1/org/branch_protection.go` | Full CRUD API handlers | ### Files Modified | File | Change | |------|--------| | `models/git/protected_branch_list.go` | Org rule fallback in `GetFirstMatchProtectedBranchRule()` | | `models/migrations/migrations.go` | Register migration 332 | | `modules/structs/repo_branch.go` | Added `InheritedFrom` field | | `routers/api/v1/api.go` | Route registration | --- ### Additional Changes in Same Branch - **Configurable Help/Support URLs:** `HELP_URL` and `SUPPORT_URL` in `app.ini`, replacing hardcoded `docs.gitea.com` in navbar - **Admin visibility:** Help/Support URLs shown in Site Admin > Configuration - **Version convention:** `1261.xx.xx` (1261 = fork starting point from upstream Gitea) --- ### Verification Checklist - [ ] Create org rule via API, verify it applies to repos without their own rule - [ ] Verify repo-level rule overrides org rule for same branch pattern - [ ] Verify rule deletion at org level removes protection from all repos - [ ] Run existing branch protection tests to ensure no regressions - [ ] Test glob patterns: `rc/*`, `beta/*`, `alpha/*` ### Documentation / Communication - [ ] Update MokoGitea wiki with org branch protection API docs - [ ] Update mokoconsulting.tech website articles with feature announcement - [ ] Add admin guide for configuring HELP_URL and SUPPORT_URL - [ ] Document version numbering convention (1261.xx.xx) --- *Authored by Claude Opus 4.6 — Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>*

jmiller changed title from feat: Repository ruleset system to feat: Repository & Org-level ruleset system (branch protection) 2026-05-12 20:17:04 +00:00

jmiller referenced a pull request that will close this issue 2026-05-12 20:20:21 +00:00

feat(org): add org-level branch protection rulesets & configurable help URLs #71

jmiller referenced a pull request that will close this issue 2026-05-12 20:22:56 +00:00

feat(org): add org-level branch protection rulesets & configurable help URLs #72

jmiller closed this issue 2026-05-12 20:24:15 +00:00

jmiller referenced this issue 2026-05-12 20:25:02 +00:00

release: promote dev to main — org branch protection & help URLs #73

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

feat/badge-engine

feat/prometheus-metrics

feat/update-checker

dev

alpha

beta

feature

version

feat/custom-logo

v1.25.5-moko.1

v1.26.1

v1.26.0

v1.26.0-rc0

v1.27.0-dev

v1.25.5

v1.25.4

v1.25.3

v1.25.2

v1.25.1

v1.25.0

v1.24.7

v1.25.0-rc0

v1.26.0-dev

v1.24.6

v1.24.5

v1.24.4

v1.24.3

v1.24.2

v1.24.1

v1.24.0

v1.23.8

v1.24.0-rc0

v1.25.0-dev

v1.23.7

v1.23.6

v1.23.5

v1.23.4

v1.23.3

v1.23.2

v1.23.1

v1.23.0

v1.23.0-rc0

v1.24.0-dev

v1.22.6

v1.22.5

v1.22.4

v1.22.3

v1.22.2

v1.22.1

v1.22.0

v1.23.0-dev

v1.22.0-rc1

v1.21.11

v1.22.0-rc0

v1.21.10

v1.21.9

v1.21.8

v1.21.7

v1.21.6

v1.21.5

v1.21.4

v1.21.3

v1.21.2

v1.20.6

v1.21.1

v1.21.0

v1.21.0-rc2

v1.21.0-rc1

v1.20.5

v1.22.0-dev

v1.21.0-rc0

v1.20.4

v1.20.3

v1.20.2

v1.20.1

v1.20.0

v1.19.4

v1.21.0-dev

v1.20.0-rc2

v1.20.0-rc1

v1.20.0-rc0

v1.19.3

v1.19.2

v1.19.1

v1.19.0

v1.19.0-rc1

v1.20.0-dev

v1.19.0-rc0

v1.18.5

v1.18.4

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.4

v1.18.0-rc1

v1.19.0-dev

v1.18.0-rc0

v1.17.3

v1.17.2

v1.17.1

v1.17.0

v1.17.0-rc2

v1.16.9

v1.17.0-rc1

v1.18.0-dev

v1.16.8

v1.16.7

v1.16.6

v1.16.5

v1.16.4

v1.16.3

v1.16.2

v1.16.1

v1.16.0

v1.15.11

v1.17.0-dev

v1.16.0-rc1

v1.15.10

v1.15.9

v1.15.8

v1.15.7

v1.15.6

v1.15.5

v1.15.4

v1.15.3

v1.15.2

v1.15.1

v1.14.7

v1.15.0

v1.15.0-rc3

v1.14.6

v1.15.0-rc2

v1.14.5

v1.16.0-dev

v1.15.0-rc1

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.7

v1.14.0-rc2

v1.13.6

v1.13.5

v1.14.0-rc1

v1.15.0-dev

v1.13.4

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.6

v1.13.0-rc2

v1.14.0-dev

v1.13.0-rc1

v1.12.5

v1.12.4

v1.12.3

v1.12.2

v1.12.1

v1.11.8

v1.12.0

v1.11.7

v1.12.0-rc2

v1.11.6

v1.12.0-rc1

v1.13.0-dev

v1.11.5

v1.11.4

v1.11.3

v1.10.6

v1.12.0-dev

v1.11.2

v1.10.5

v1.11.1

v1.10.4

v1.11.0

v1.11.0-rc2

v1.10.3

v1.11.0-rc1

v1.10.2

v1.10.1

v1.10.0

v1.9.6

v1.9.5

v1.10.0-rc2

v1.11.0-dev

v1.10.0-rc1

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.9.0-rc2

v1.10.0-dev

v1.9.0-rc1

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.8.0-rc3

v1.7.6

v1.8.0-rc2

v1.7.5

v1.8.0-rc1

v1.9.0-dev

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.7.0-rc3

v1.6.4

v1.7.0-rc2

v1.6.3

v1.7.0-rc1

v1.7.0-dev

v1.6.2

v1.6.1

v1.6.0

v1.6.0-rc2

v1.5.3

v1.6.0-rc1

v1.6.0-dev

v1.5.2

v1.5.1

v1.5.0

v1.5.0-rc2

v1.5.0-rc1

v1.5.0-dev

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.4.0-rc3

v1.4.0-rc2

v1.3.3

v1.4.0-rc1

v1.3.2

v1.3.1

v1.3.0

v1.3.0-rc2

v1.3.0-rc1

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.2.0-rc3

v1.2.0-rc2

v1.1.4

v1.2.0-rc1

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.2

v1.0.1

v1.0.0

v0.9.99

Labels

Clear labels

breaking-change

Breaking API or behavior change

ci-cd

CI/CD pipeline changes

config

Configuration changes

dependencies

Dependency updates

deploy-failure

Deployment failed

docker

Docker/container changes

documentation

Documentation changes

good first issue

Good for newcomers

health-check

Repo health check result

help wanted

Extra attention needed

mokostandards

Related to MokoStandards framework

priority: critical

Must fix immediately

priority: high

Important, fix soon

priority: low

Nice to have

priority: medium

Normal priority

push-failure

Git push operation failed

security

Security vulnerability or hardening

size/l

200-500 lines changed

size/m

50-200 lines changed

size/s

10-50 lines changed

size/xl

500+ lines changed

size/xs

< 10 lines changed

standards-drift

Deviates from MokoStandards

standards-update

MokoStandards compliance update

status: blocked

Blocked by dependency or decision

status: in-progress

Actively being worked on

status: needs-review

Awaiting code review

status: on-hold

Paused intentionally

status: wontfix

Will not be addressed

sync-failure

Sync or mirror failed

type: bug

Something isn't working

type: chore

Maintenance, dependencies, cleanup

type: enhancement

Improvement to existing feature

type: feature

New functionality

type: refactor

Code restructuring without behavior change

type: version

Version bump or release

work-in-progress

Draft or incomplete work

bug

Something is not working

chore

Maintenance and housekeeping

documentation

Documentation improvements

enhancement

Improvement to existing functionality

feature

New feature or request

priority: critical

Must fix immediately

priority: high

Should fix soon

priority: low

Nice to have

priority: medium

Fix when convenient

refactor

Code restructuring without behavior change

roadmap

Planned feature or enhancement tracked on the roadmap

scope: client

Client-specific work

scope: dolibarr

Dolibarr modules and customizations

scope: infrastructure

Server, CI, backups, monitoring

scope: joomla

Joomla templates and extensions

scope: waas

MokoWaaS platform

security

Security vulnerability or hardening

status: blocked

Waiting on external dependency

status: duplicate

Duplicate of another issue

status: in-progress

Being worked on

status: needs-review

Ready for review

status: wontfix

Will not be addressed

No labels type: feature

Milestone

No items

No Milestone

Projects

Clear projects

No projects

Assignees

Clear assignees

jmiller (Jonathan Miller) moko-deploy (Moko Deploy Bot)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: MokoConsulting/MokoGitea#38