From 1db1ae85b27ef2cc2279686f7560d9b8995cb848 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20Luis=20Segura=20Lucas?= <joseluis@redhat.com>
Date: Wed, 15 Apr 2026 14:09:42 +0200
Subject: [PATCH] Document and backup rulesets

---
 github-rulesets/README.md                     | 64 +++++++++++++++++++
 github-rulesets/min_obsint_reviewers.json     | 46 +++++++++++++
 .../prodsec_branch_protection.json            | 52 +++++++++++++++
 github-rulesets/status_checks.json            | 48 ++++++++++++++
 4 files changed, 210 insertions(+)
 create mode 100644 github-rulesets/README.md
 create mode 100644 github-rulesets/min_obsint_reviewers.json
 create mode 100644 github-rulesets/prodsec_branch_protection.json
 create mode 100644 github-rulesets/status_checks.json

diff --git a/github-rulesets/README.md b/github-rulesets/README.md
new file mode 100644
index 0000000..18c5bcf
--- /dev/null
+++ b/github-rulesets/README.md
@@ -0,0 +1,64 @@
+# GitHub rulesets
+
+The branch protection in our repositories is performed using the "rulesets".
+
+The configuration can be found on repository Settings -> Rules -> Rulesets.
+
+## Configuration files
+
+Each JSON file is an export of a ruleset (same repository: `RedHatInsights/processing-tools`).
+All three target **branches** and apply to the **default branch** (`~DEFAULT_BRANCH`) only, with
+**active** enforcement.
+
+### `prodsec_branch_protection.json` — [PRODSEC] Branch Protection
+
+This ruleset ensures that the requirements from ProdSec are fulfilled.
+
+It has a bypass for both RedHat Konflux and our own bots in order to allow the auto-merge for
+version bumps, rule releases or synchronisation PRs.
+
+- **Branch deletion** and **non–fast-forward** (force-push) updates are blocked.
+- **Pull request:** 1 approving review required; **code owner review** required.
+- Stale reviews **are** dismissed when new commits are pushed.
+- **Last-push approval** is required (new commits need another approval).
+- Resolved review threads are **not** required before merge.
+- **Merge methods:** merge, squash, or rebase.
+- **Bypass:** Red Hat Konflux application and obsint-processing-app integrations, in "exempt" mode.
+
+### `min_obsint_reviewers.json` — [OBSINT-Proc] 2 reviewers
+
+This ruleset enforces the team's policy of at least 2 reviewers.
+
+It has a bypass for both RedHat Konflux and our own bots in order to allow the auto-merge for
+version bumps, rule releases or synchronisation PRs.
+
+- **Pull request:** 2 approving reviews required; **code owner review** required.
+- Stale reviews are **not** dismissed when new commits are pushed.
+- **Last-push approval** is not required.
+- Resolved review threads are **not** required before merge.
+- **Merge methods:** merge, squash, or rebase.
+- **Bypass:** Red Hat Konflux application and obsint-processing-app integrations, in "exempt" mode.
+
+### `status_checks.json` — Status checks
+
+This ruleset enforces that the status checks are passing for every PR. This ruleset doesn't have
+any bypass, so it is enforced for every pull request, including bot ones.
+
+**IMPORTANT NOTE**: even if it can be imported without any warning in a repository, the status
+checks to be enforced are different on each one. Please, import this ruleset with caution in
+other repositories or you can break your PR ruleset.
+
+- **Required status checks:** the **Linters** check must pass (`integration_id` 15368). Branch
+    protection does **not** require branches to be up to date before merging. Checks **are**
+    enforced on new branches.
+- **Pull request:** 0 approvals in this ruleset (reviews are covered by other rulesets);
+    merge/squash/rebase allowed.
+- **Bypass:** none.
+
+## Note about actor identifiers
+
+In the configuration files, the bypasses are shown using the `actor_id` attribute, not its name.
+The currently used actors are:
+
+- "296509": Red Hat Konflux
+- "3331057": obsint-processing-app
diff --git a/github-rulesets/min_obsint_reviewers.json b/github-rulesets/min_obsint_reviewers.json
new file mode 100644
index 0000000..a87736d
--- /dev/null
+++ b/github-rulesets/min_obsint_reviewers.json
@@ -0,0 +1,46 @@
+{
+  "id": 15093725,
+  "name": "[OBSINT-Proc] 2 reviewers",
+  "target": "branch",
+  "source_type": "Repository",
+  "source": "RedHatInsights/processing-tools",
+  "enforcement": "active",
+  "conditions": {
+    "ref_name": {
+      "exclude": [],
+      "include": [
+        "~DEFAULT_BRANCH"
+      ]
+    }
+  },
+  "rules": [
+    {
+      "type": "pull_request",
+      "parameters": {
+        "required_approving_review_count": 2,
+        "dismiss_stale_reviews_on_push": false,
+        "required_reviewers": [],
+        "require_code_owner_review": true,
+        "require_last_push_approval": false,
+        "required_review_thread_resolution": false,
+        "allowed_merge_methods": [
+          "merge",
+          "squash",
+          "rebase"
+        ]
+      }
+    }
+  ],
+  "bypass_actors": [
+    {
+      "actor_id": 296509,
+      "actor_type": "Integration",
+      "bypass_mode": "exempt"
+    },
+    {
+      "actor_id": 3331057,
+      "actor_type": "Integration",
+      "bypass_mode": "exempt"
+    }
+  ]
+}
diff --git a/github-rulesets/prodsec_branch_protection.json b/github-rulesets/prodsec_branch_protection.json
new file mode 100644
index 0000000..7f5e0c0
--- /dev/null
+++ b/github-rulesets/prodsec_branch_protection.json
@@ -0,0 +1,52 @@
+{
+  "id": 15093715,
+  "name": "[PRODSEC] Branch Protection",
+  "target": "branch",
+  "source_type": "Repository",
+  "source": "RedHatInsights/processing-tools",
+  "enforcement": "active",
+  "conditions": {
+    "ref_name": {
+      "exclude": [],
+      "include": [
+        "~DEFAULT_BRANCH"
+      ]
+    }
+  },
+  "rules": [
+    {
+      "type": "deletion"
+    },
+    {
+      "type": "non_fast_forward"
+    },
+    {
+      "type": "pull_request",
+      "parameters": {
+        "required_approving_review_count": 1,
+        "dismiss_stale_reviews_on_push": true,
+        "required_reviewers": [],
+        "require_code_owner_review": true,
+        "require_last_push_approval": true,
+        "required_review_thread_resolution": false,
+        "allowed_merge_methods": [
+          "merge",
+          "squash",
+          "rebase"
+        ]
+      }
+    }
+  ],
+  "bypass_actors": [
+    {
+      "actor_id": 296509,
+      "actor_type": "Integration",
+      "bypass_mode": "exempt"
+    },
+    {
+      "actor_id": 3331057,
+      "actor_type": "Integration",
+      "bypass_mode": "exempt"
+    }
+  ]
+}
diff --git a/github-rulesets/status_checks.json b/github-rulesets/status_checks.json
new file mode 100644
index 0000000..499df7f
--- /dev/null
+++ b/github-rulesets/status_checks.json
@@ -0,0 +1,48 @@
+{
+  "id": 15093731,
+  "name": "Status checks",
+  "target": "branch",
+  "source_type": "Repository",
+  "source": "RedHatInsights/processing-tools",
+  "enforcement": "active",
+  "conditions": {
+    "ref_name": {
+      "exclude": [],
+      "include": [
+        "~DEFAULT_BRANCH"
+      ]
+    }
+  },
+  "rules": [
+    {
+      "type": "required_status_checks",
+      "parameters": {
+        "strict_required_status_checks_policy": false,
+        "do_not_enforce_on_create": false,
+        "required_status_checks": [
+          {
+            "context": "Linters",
+            "integration_id": 15368
+          }
+        ]
+      }
+    },
+    {
+      "type": "pull_request",
+      "parameters": {
+        "required_approving_review_count": 0,
+        "dismiss_stale_reviews_on_push": false,
+        "required_reviewers": [],
+        "require_code_owner_review": false,
+        "require_last_push_approval": false,
+        "required_review_thread_resolution": false,
+        "allowed_merge_methods": [
+          "merge",
+          "squash",
+          "rebase"
+        ]
+      }
+    }
+  ],
+  "bypass_actors": []
+}