Extend org-level branch protection to support per-user allowlists (resolved
from username OR email) and an "allow Actions bot" toggle, alongside the
existing team allowlists, for all five categories (push, merge, force-push,
delete, approvals).
- models/git/org_protected_branch.go: add WhitelistUserIDs, MergeWhitelistUserIDs,
ForcePushAllowlistUserIDs, DeleteAllowlistUserIDs, ApprovalsWhitelistUserIDs
([]int64) plus WhitelistActionsUser, MergeWhitelistActionsUser,
ForcePushAllowlistActionsUser, DeleteAllowlistActionsUser (bool); copy all 9
into ProtectedBranch in ToProtectedBranch().
- models/migrations/v1_27/v368.go: migration 367 adds the 9 columns.
- modules/structs/org_branch.go: add *Usernames []string and *ActionsUser bool
to Create/Edit options and the response, matching repo-level json names.
- routers/api/v1/org/branch_protection.go: resolveUserIDs (username then email,
dedupe, 422 on unknown); wire into Create + Edit and toAPIOrgBranchProtection.
- models/git/protected_branch_merge.go: add mergeAllowFlag and merge the four
Actions-user flags most-restrictively (org can now express them); deploy-key
flags stay repo-only pass-through.
- models/git/protected_branch_merge_test.go: mergeAllowFlag truth table, user-ID
intersection, deploy-key pass-through.
- regenerate swagger v1 + openapi3 specs.
Claude-Session: https://claude.ai/code/session_01Wsno14cxE49MstXFs9G5KT