Skip to content

use rulesets in the rust repo#2327

Open
marcoieni wants to merge 1 commit intomainfrom
use-rulesets-in-the-rust-repo
Open

use rulesets in the rust repo#2327
marcoieni wants to merge 1 commit intomainfrom
use-rulesets-in-the-rust-repo

Conversation

@marcoieni
Copy link
Member

@marcoieni marcoieni commented Mar 16, 2026
edited
Loading

Is there a preferred moment when we want to merge this?

@github-actions
Copy link

github-actions bot commented Mar 16, 2026
edited
Loading

Dry-run check results 

[WARN  rust_team::sync] sync-team is running in dry mode, no changes will be applied.
[INFO  rust_team::sync] synchronizing crates-io
[INFO  rust_team::sync] synchronizing github
[INFO  rust_team::sync] 💻 Team Diffs:
    📝 Editing team 'rust-lang/rust-timer':
      Deleting member 'rust-lang-owner'
    💻 Repo Diffs:
    📝 Editing repo 'rust-lang/rust':
      Permission Changes:
        Giving team 'rust-timer' write permission
      Rulesets:
          Creating 'main'
            Include Branches: ["refs/heads/main"]
            Bypass Actors: [RulesetBypassActor { actor_id: 278306, actor_type: Integration, bypass_mode: Always }]
            Restrict updates: true
          Creating 'main - force-push'
            Include Branches: ["refs/heads/main"]
            Required approvals: 1
          Creating 'stable'
            Include Branches: ["refs/heads/stable"]
            Bypass Actors: [RulesetBypassActor { actor_id: 278306, actor_type: Integration, bypass_mode: Always }, RulesetBypassActor { actor_id: 217112, actor_type: Integration, bypass_mode: Always }]
            Restrict updates: true
          Creating 'stable - force-push'
            Include Branches: ["refs/heads/stable"]
            Bypass Actors: [RulesetBypassActor { actor_id: 217112, actor_type: Integration, bypass_mode: Always }]
            Required approvals: 1
          Creating 'beta'
            Include Branches: ["refs/heads/beta"]
            Bypass Actors: [RulesetBypassActor { actor_id: 278306, actor_type: Integration, bypass_mode: Always }, RulesetBypassActor { actor_id: 217112, actor_type: Integration, bypass_mode: Always }]
            Restrict updates: true
          Creating 'beta - force-push'
            Include Branches: ["refs/heads/beta"]
            Bypass Actors: [RulesetBypassActor { actor_id: 217112, actor_type: Integration, bypass_mode: Always }]
            Required approvals: 1
          Creating '*'
            Include Branches: ["refs/heads/*"]
            Bypass Actors: [RulesetBypassActor { actor_id: 217112, actor_type: Integration, bypass_mode: Always }]
            Restrict updates: true
            Required approvals: 1
          Creating '*/**/*'
            Include Branches: ["refs/heads/*/**/*"]
            Restrict updates: true
          Creating 'cargo_update'
            Include Branches: ["refs/heads/cargo_update"]
          Creating 'automation/bors/try'
            Include Branches: ["refs/heads/automation/bors/try"]
            Bypass Actors: [RulesetBypassActor { actor_id: 278306, actor_type: Integration, bypass_mode: Always }]
            Restrict updates: true
          Creating 'automation/bors/try-merge'
            Include Branches: ["refs/heads/automation/bors/try-merge"]
            Bypass Actors: [RulesetBypassActor { actor_id: 278306, actor_type: Integration, bypass_mode: Always }]
            Restrict updates: true
          Creating 'automation/bors/auto'
            Include Branches: ["refs/heads/automation/bors/auto"]
            Bypass Actors: [RulesetBypassActor { actor_id: 278306, actor_type: Integration, bypass_mode: Always }]
            Restrict updates: true
          Creating 'automation/bors/auto-merge'
            Include Branches: ["refs/heads/automation/bors/auto-merge"]
            Bypass Actors: [RulesetBypassActor { actor_id: 278306, actor_type: Integration, bypass_mode: Always }]
            Restrict updates: true
          Creating 'try-perf'
            Include Branches: ["refs/heads/try-perf"]
            Bypass Actors: [RulesetBypassActor { actor_id: 16787004, actor_type: Team, bypass_mode: Always }]
            Required approvals: 1
            Restrict updates: true
          Creating 'perf-tmp'
            Include Branches: ["refs/heads/perf-tmp"]
            Bypass Actors: [RulesetBypassActor { actor_id: 16787004, actor_type: Team, bypass_mode: Always }]
            Restrict updates: true
            Required approvals: 1

@marcoieni marcoieni force-pushed the use-rulesets-in-the-rust-repo branch 2 times, most recently from 11472fe to ccd8f31 Compare March 19, 2026 12:09
@marcoieni
Copy link
Member Author

marcoieni commented Mar 19, 2026

Backup (taken automatically with https://github.com/marcoieni/multicheese in case you are curious!)

001-github-com-rust-lang-rust-settings-branch-protection-rules-2097960 002-github-com-rust-lang-rust-settings-branch-protection-rules-2626273 003-github-com-rust-lang-rust-settings-branch-protection-rules-29679214 004-github-com-rust-lang-rust-settings-branch-protection-rules-31895354 005-github-com-rust-lang-rust-settings-branch-protection-rules-38663771 006-github-com-rust-lang-rust-settings-branch-protection-rules-42228944 007-github-com-rust-lang-rust-settings-branch-protection-rules-42230325 008-github-com-rust-lang-rust-settings-branch-protection-rules-63047047 009-github-com-rust-lang-rust-settings-branch-protection-rules-63047048 010-github-com-rust-lang-rust-settings-branch-protection-rules-69583533 011-github-com-rust-lang-rust-settings-branch-protection-rules-71071517

@marcoieni marcoieni force-pushed the use-rulesets-in-the-rust-repo branch 2 times, most recently from a4540e6 to 83f09a2 Compare March 19, 2026 22:31
marcoieni
marcoieni commented Mar 19, 2026
View reviewed changes
src/validate.rs
protection.pattern,
);
}

Copy link
Member Author

@marcoieni marcoieni Mar 19, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From https://docs.github.com/en/enterprise-cloud@latest/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets#about-rulesets-and-protected-branches:

Unlike protection rules, multiple rulesets can apply at the same time, so you can be confident that every rule targeting a branch in your repository will be evaluated when someone interacts with that branch

I removed this because we need multiple rules to interact with the same branch (different bypass list for normal push and force push).

Copy link
Member

@Kobzol Kobzol Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In that case we should make the name required when there are multiple identical patterns, because we used the pattern as an identifier.

@marcoieni marcoieni force-pushed the use-rulesets-in-the-rust-repo branch 4 times, most recently from 6f35480 to c3d0cbd Compare March 20, 2026 09:32
@marcoieni
Copy link
Member Author

marcoieni commented Mar 23, 2026

Here's how I tested the "stable" and "stable - force-pushes" rules.

image github com_marco-test-org_ruleset-test_settings_rules_14250638 github com_marco-test-org_ruleset-test_settings_rules_14250638 (1)

The user in the test-team was able to push to the repository but not to force-push. See marco-test-org/ruleset-test#1

@marcoieni marcoieni force-pushed the use-rulesets-in-the-rust-repo branch 2 times, most recently from 6e4c63c to c67ec1b Compare March 23, 2026 22:54
@marcoieni
Copy link
Member Author

marcoieni commented Mar 23, 2026

There's one issue:
In the try-perf branch, the user rust-timer is allowed to push.
In rulesets, only teams and github apps can be allowed to push.
Should we create a team for rust-timer?
Another approach would be converting rust-timer to a github app but I'm not sure how difficult it is.

@marcoieni marcoieni mentioned this pull request Mar 24, 2026
Merged
1 task
@marcoieni marcoieni force-pushed the use-rulesets-in-the-rust-repo branch 4 times, most recently from 0dee3f1 to f614447 Compare March 24, 2026 06:23
@Kobzol
Copy link
Member

Kobzol commented Mar 24, 2026

We are relatively close to making the unrolled PRs by bors, instead of rustc-perf. If this can wait a few weeks, rust-timer will no longer need that access.

@marcoieni marcoieni force-pushed the use-rulesets-in-the-rust-repo branch from f614447 to dbe30bf Compare March 24, 2026 06:25
@marcoieni
Copy link
Member Author

marcoieni commented Mar 24, 2026

We are relatively close to making the unrolled PRs by bors, instead of rustc-perf. If this can wait a few weeks, rust-timer will no longer need that access.

#2343 is a small change that can be reverted easily. Since this is the only blocker to have rulesets in the rust I'm in favor of creating the team. What do you think? 🤔

@Kobzol
Copy link
Member

Kobzol commented Mar 24, 2026

Sure, go ahead, it's a small change 👍

@marcoieni marcoieni force-pushed the use-rulesets-in-the-rust-repo branch 3 times, most recently from 1b14c6d to c62adff Compare March 24, 2026 17:25
marcoieni
marcoieni commented Mar 24, 2026
View reviewed changes
src/sync/github/mod.rs
let bypass_actors = self.bypass_actors(expected_repo, branch_protection).await?;

Ok(construct_ruleset(branch_protection, bypass_actors))
}
Copy link
Member Author

@marcoieni marcoieni Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this function is only two lines but I left it like this to minimize the git diff of the PR.
We could inline the construct_ruleset free function later

marcoieni
marcoieni commented Mar 24, 2026
View reviewed changes
src/sync/github/mod.rs
bypass_mode: RulesetBypassMode::Always,
})
})
.collect();
Copy link
Member Author

@marcoieni marcoieni Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this piece of code was moved up

@marcoieni marcoieni force-pushed the use-rulesets-in-the-rust-repo branch from c62adff to 8c81777 Compare March 24, 2026 17:48
marcoieni
marcoieni commented Mar 24, 2026
View reviewed changes
src/validate.rs
bail!(
r#"repo '{}' uses a branch protection for {} that mentions the '{}' github team;
but that team does not seem to exist"#,
r#"repo '{}' uses a branch protection for {} that mentions the '{}' github team; but that team does not seem to exist"#,
Copy link
Member Author

@marcoieni marcoieni Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I put this error and the next one on the same line to improve how they look in github actions.

@marcoieni marcoieni marked this pull request as ready for review March 24, 2026 17:56
@marcoieni marcoieni requested a review from Kobzol March 24, 2026 17:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mark-Simulacrum Mark-Simulacrum Awaiting requested review from Mark-Simulacrum Mark-Simulacrum is a code owner

@emilyalbini emilyalbini Awaiting requested review from emilyalbini emilyalbini is a code owner

@jdno jdno Awaiting requested review from jdno jdno is a code owner

@ubiratansoares ubiratansoares Awaiting requested review from ubiratansoares ubiratansoares is a code owner

@Kobzol Kobzol Awaiting requested review from Kobzol

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@marcoieni @Kobzol