From 86bd8a2cad081ef62bbee7d7aaf366a281239df0 Mon Sep 17 00:00:00 2001 From: Jonathan Miller Date: Sat, 4 Jul 2026 20:25:24 -0500 Subject: [PATCH] feat(org): show inherited org branch-protection rules in repo settings (#727) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The org "floor" is enforced implicitly at the choke point, so a repo admin couldn't see which org-level rules apply to their repo. Surface them in the repo's Branch Protection settings page (read-only), the way GitHub shows organization rulesets in a repository. - ProtectedBranchRules handler: when the owner is an org, load FindOrgProtectedBranchRules and expose them as OrgProtectedBranches. - branches.tmpl: new read-only "Organization Branch Protection" section listing each org rule with an "Organization" badge, a lock/read-only marker, and compact indicators (required approvals, signed commits, status checks). No edit/delete controls — these are managed at the org level. - en-US locale strings. Note: no Go toolchain available locally, so not compiled/gofmt'd/tested here. Claude-Session: https://claude.ai/code/session_01Wsno14cxE49MstXFs9G5KT --- options/locale/locale_en-US.json | 7 +++++ routers/web/repo/setting/protected_branch.go | 12 +++++++++ templates/repo/settings/branches.tmpl | 27 ++++++++++++++++++++ 3 files changed, 46 insertions(+) diff --git a/options/locale/locale_en-US.json b/options/locale/locale_en-US.json index ea52615095..f1bf71288f 100644 --- a/options/locale/locale_en-US.json +++ b/options/locale/locale_en-US.json @@ -2411,6 +2411,13 @@ "repo.settings.protected_branch": "Branch Protection", "repo.settings.protected_branch.save_rule": "Save Rule", "repo.settings.protected_branch.delete_rule": "Delete Rule", + "repo.settings.org_protected_branch": "Organization Branch Protection", + "repo.settings.org_protected_branch_desc": "These rules are defined by the organization and are enforced on top of this repository's own rules — the stricter of the two applies. They cannot be edited here.", + "repo.settings.org_protected_branch.inherited": "Organization", + "repo.settings.org_protected_branch.read_only": "Read-only", + "repo.settings.org_protected_branch.approvals": "%d approvals required", + "repo.settings.org_protected_branch.signed": "Signed commits", + "repo.settings.org_protected_branch.status_check": "Status checks", "repo.settings.protected_branch_can_push": "Allow push?", "repo.settings.protected_branch_can_push_yes": "You can push", "repo.settings.protected_branch_can_push_no": "You cannot push", diff --git a/routers/web/repo/setting/protected_branch.go b/routers/web/repo/setting/protected_branch.go index c8881838ab..06da1aa15e 100644 --- a/routers/web/repo/setting/protected_branch.go +++ b/routers/web/repo/setting/protected_branch.go @@ -46,6 +46,18 @@ func ProtectedBranchRules(ctx *context.Context) { } ctx.Data["ProtectedBranches"] = rules + // Surface the organization-level rules that also apply to this repo (read-only), + // so admins can see the org "floor" that is layered on top of the repo's own + // rules at enforcement time. See issue #727. + if ctx.Repo.Owner.IsOrganization() { + orgRules, err := git_model.FindOrgProtectedBranchRules(ctx, ctx.Repo.Owner.ID) + if err != nil { + ctx.ServerError("FindOrgProtectedBranchRules", err) + return + } + ctx.Data["OrgProtectedBranches"] = orgRules + } + repo.PrepareBranchList(ctx) if ctx.Written() { return diff --git a/templates/repo/settings/branches.tmpl b/templates/repo/settings/branches.tmpl index 6ec80c057f..7bfc6c3dcc 100644 --- a/templates/repo/settings/branches.tmpl +++ b/templates/repo/settings/branches.tmpl @@ -62,6 +62,33 @@ {{end}} + + {{if .OrgProtectedBranches}} +

+ {{ctx.Locale.Tr "repo.settings.org_protected_branch"}} +

+
+

{{ctx.Locale.Tr "repo.settings.org_protected_branch_desc"}}

+
+ {{range .OrgProtectedBranches}} +
+
+
+
{{.RuleName}}
+ {{svg "octicon-organization" 12}} {{ctx.Locale.Tr "repo.settings.org_protected_branch.inherited"}} + {{if gt .RequiredApprovals 0}}{{ctx.Locale.Tr "repo.settings.org_protected_branch.approvals" .RequiredApprovals}}{{end}} + {{if .RequireSignedCommits}}{{ctx.Locale.Tr "repo.settings.org_protected_branch.signed"}}{{end}} + {{if .EnableStatusCheck}}{{ctx.Locale.Tr "repo.settings.org_protected_branch.status_check"}}{{end}} +
+
+
+ {{svg "octicon-lock" 14}} {{ctx.Locale.Tr "repo.settings.org_protected_branch.read_only"}} +
+
+ {{end}} +
+
+ {{end}} {{end}}