MokoConsulting/moko-platform
1
0
Fork 0
Code Issues 6 Pull Requests 1 Actions 25 Packages Licenses 2 Releases 8 Wiki Activity
Page: workflows-branch-protection.-
Pages
ARCHITECTURE AUTO-BUMP AUTO_CREATE_ORG_PROJECTS Branching-Strategy CLI_AUTOMATION Coding-Standards DEPLOY_SCRIPTS DOLIBARR_MODULE_IDS DRY_RUN_PATTERN Documentation-Standards File-Header-Standards Home JOOMLA_SYNC LEGAL_DOC_GENERATOR_WEB_README MANIFEST-STANDARD MINIFICATION MONITORING_SCRIPTS NEW_SCRIPTS QUICKSTART_ORG_PROJECTS UPDATE-SERVER WIKI_STANDARDS WORKFLOW_STANDARDS api-automation-index api-definitions-default-index api-definitions-sync-index api-deploy-index api-fix-index api-index api-maintenance-index.- api-maintenance-index api-plugin-index.- api-plugin-index api-tests-index.- api-tests-sample-index.- api-tests-sample-index api-validate-index.- automation-README.- automation-branch-version-automation.- automation-push-files.- automation-repo-cleanup.- client-repos.-.- client-repos standards-mokostandards-file-spec.- standards-mokostandards-file-spec templates-client-waas templates-dolibarr templates-generic templates-mcp unnamed workflows-README.- workflows-README workflows-auto-release.- workflows-auto-release workflows-branch-protection.- workflows-branch-protection workflows-build-release.- workflows-build-release workflows-cascade-dev.- workflows-cascade-dev workflows-changelog-management.- workflows-changelog-management workflows-demo-deployment.- workflows-demo-deployment workflows-dev-branch-tracking.- workflows-dev-branch-tracking workflows-dev-deployment.- workflows-dev-deployment workflows-index.- workflows-index workflows-release-system.- workflows-release-system workflows-renovate.- workflows-renovate workflows-reusable-workflows.- workflows-reusable-workflows workflows-rs-deployment.- workflows-rs-deployment workflows-secret-scanning.- workflows-secret-scanning workflows-shared-workflows.- workflows-shared-workflows workflows-standards-compliance.- workflows-standards-compliance workflows-static-analysis.- workflows-static-analysis workflows-sub-issue-management.- workflows-sub-issue-management workflows-update-server.- workflows-update-server workflows-workflow-architecture.- workflows-workflow-architecture
Clone
2
workflows-branch-protection.-
Jonathan Miller edited this page 2026-05-11 21:56:21 +00:00
Table of Contents

Home

moko-platform

Branch Protection Setup Workflow

Status: Active | Version: 01.00.00 | Last Updated: 2026-05-07

Table of Contents

Overview

The Branch Protection Setup workflow applies standardised branch protection rules to all governed repositories in the MokoConsulting organization. It runs from the moko-platform repository and uses the Gitea API to create or update protection rules across repos.

Purpose

  • Consistency: Uniform branch protection across all repositories
  • Drift Prevention: Weekly scheduled runs enforce rules even if manually changed
  • Centralised Management: Single workflow controls protection for the entire organization
  • Override Authority: jmiller has full override capability on all branches

Key Features

Idempotent: Deletes and recreates rules to avoid update conflicts
Weekly Enforcement: Scheduled every Monday at 02:00 UTC
Manual Dispatch: Target specific repos or run against all
Dry Run Mode: Preview changes without applying
Centralised: Lives in moko-platform, applies to all governed repos

Protection Rules

Rule Summary

Branch Push Push Whitelist Force Push Force Push Whitelist Block Rejected Reviews Priority
main Whitelist jmiller Whitelist jmiller Yes 1
dev Open Whitelist jmiller No 2
rc/* Open Whitelist jmiller No 3
beta/* Open Whitelist jmiller No 4
alpha/* Open Whitelist jmiller No 5

Rule Details

main (Priority 1 — Strictest)

  • Push: Restricted to whitelist (jmiller only)
  • Force Push: Restricted to whitelist (jmiller only)
  • Block on Rejected Reviews: Yes — prevents merging PRs with rejected reviews
  • Dismiss Stale Approvals: Yes — new commits invalidate previous approvals
  • Required Approvals: 0 (solo developer workflow)

dev (Priority 2)

  • Push: Open to all collaborators
  • Force Push: Restricted to jmiller only
  • Block on Rejected Reviews: No
  • Purpose: Development integration branch — needs open push for cascade workflow and CI bots

rc/*, beta/*, alpha/* (Priority 3-5)

  • Push: Open to all collaborators
  • Force Push: Restricted to jmiller only
  • Block on Rejected Reviews: No
  • Purpose: Pre-release channels — CI workflows push version bumps and package builds directly

Override Authority

jmiller has full override authority across all branches:

  • Can push directly to main (bypassing PR requirement)
  • Can force-push to any branch when needed (emergency fixes, history cleanup)
  • Is the only user in force-push whitelists on all branches

This ensures the organization owner can always intervene in emergencies without being blocked by protection rules.

Workflow Triggers

Trigger Condition
schedule Every Monday at 02:00 UTC (drift enforcement)
workflow_dispatch Manual — supports dry_run and repos inputs

Inputs

Input Type Default Description
dry_run boolean false Preview mode — logs what would change without applying
repos string "" (all) Comma-separated repo names to target (empty = all governed repos)

Configuration

Environment Variables

Variable Value Description
GITEA_URL https://git.mokoconsulting.tech Gitea instance URL
GITEA_ORG MokoConsulting Organization name

Secrets

Secret Required Description
GA_TOKEN Yes Gitea API token with admin/repo permissions

Excluded Repositories

The following repos are excluded from protection rule application:

Repository Reason
gitea-org-config Platform infrastructure
org-profile Platform infrastructure
gitea-private Platform infrastructure
gitea-server-setup Platform infrastructure
moko-platform Standards repository
moko-platform Standards repository
MokoTesting Testing infrastructure
moko-platform-Template-* Template repositories
MokoDoliProjTemplate Template repository

Usage

Apply to All Repos

Trigger the workflow manually with default inputs (no dry run, all repos).

Apply to Specific Repos

repos: MokoOnyx,MokoJoomla,MokoJGDPC

Preview Mode

Set dry_run: true to see which rules would be applied without making changes.

API Approach

The workflow uses a delete-then-create strategy for each rule:

  1. DELETE /repos/{owner}/{repo}/branch_protections/{rule_name} — remove existing rule (if any)
  2. POST /repos/{owner}/{repo}/branch_protections — create fresh rule

This avoids HTTP 422 errors from conflicting updates to existing rules.

Troubleshooting

HTTP 422 on Rule Creation

Symptom: Rule fails to create with HTTP 422

Common Causes:

  1. Username in whitelist doesn't exist as a Gitea user (e.g., bot accounts)
  2. Rule name conflicts with an existing rule that wasn't deleted

Solution: Check the error message in logs — it usually specifies which user or field is invalid

Rules Not Applying to Specific Repo

Symptom: Repo not appearing in workflow output

Cause: Repo is in the exclude list

Solution: Check the EXCLUDE variable in the workflow and remove the repo if it should be governed

Protection Rules Reverted

Symptom: Rules changed back to previous state after manual edit

Cause: Weekly schedule re-applies standard rules every Monday

Solution: Modify the workflow's rule definitions to make permanent changes — manual edits will be overwritten

Related Documentation

Changelog

Version Date Changes
01.00.00 2026-05-07 Initial release — 5 branch rules across all governed repos

Repo: moko-platform · moko-platform wiki

Field Value
Minimum Version 04.07.00
Platform all
Applies To All repositories
Revision Date Author Description
1.0 2026-05-08 Moko Consulting Initial version