diff --git a/.github/settings.yml b/.github/settings.yml new file mode 100644 index 00000000..b08b6c17 --- /dev/null +++ b/.github/settings.yml @@ -0,0 +1,78 @@ +# Repository settings managed by Probot Settings App +# https://github.com/probot/settings +# +# This file codifies branch protection rules, making them version controlled +# and preventing configuration drift during repository operations. + +repository: + # Repository metadata + name: gh-aw-firewall + description: 🔥 A network firewall for agentic workflows with domain whitelisting + homepage: https://githubnext.com/projects/agentic-workflows/ + topics: github, copilot, security, firewall, docker, squid, mcp + + # Features + has_issues: true + has_projects: false + has_wiki: false + has_downloads: true + + # Merge options + allow_squash_merge: true + allow_merge_commit: false + allow_rebase_merge: false + delete_branch_on_merge: true + + # Security + enable_automated_security_fixes: true + enable_vulnerability_alerts: true + +# Branch protection rules for main branch +branches: + - name: main + protection: + # Require pull request reviews before merging + required_pull_request_reviews: + required_approving_review_count: 1 + dismiss_stale_reviews: false + require_code_owner_reviews: false + require_last_push_approval: false + + # Require status checks to pass before merging + required_status_checks: + strict: true # Require branches to be up to date before merging + contexts: + # Build verification across Node versions + - "Build and Lint (Node 18)" + - "Build and Lint (Node 20)" + - "Build and Lint (Node 22)" + + # Code quality checks + - "ESLint" + + # TypeScript type checking + - "TypeScript Type Check" + + # Test coverage + - "Test Coverage Report" + + # Examples testing + - "Test Examples" + + # Security scanning - CodeQL + - "Analyze (javascript-typescript)" + - "Analyze (actions)" + + # Security scanning - Container images + - "Scan Agent Container" + - "Scan Squid Container" + + # PR title validation (uses job ID as no name is defined) + - "pr-title" + + # Additional protections + enforce_admins: false # Allow admins to bypass for emergencies + required_linear_history: false + allow_force_pushes: false + allow_deletions: false + required_conversation_resolution: false diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 5a7044ff..964a3333 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -118,6 +118,22 @@ logger.success('Operation completed successfully'); - Address any feedback - Once approved, your PR will be merged +### Branch Protection + +The `main` branch is protected by required status checks defined in `.github/settings.yml`. All pull requests must: + +- Pass all required status checks: + - **Build verification** across Node 18, 20, and 22 + - **Code quality** checks (ESLint, TypeScript type checking) + - **Test coverage** with comparison against base branch + - **Examples testing** to validate real-world usage + - **Security scanning** (CodeQL analysis, Trivy container scans) + - **PR title validation** following Conventional Commits format +- Receive at least **1 approving review** from a maintainer +- Be **up to date** with the base branch before merging + +These rules are codified in `.github/settings.yml` and managed by the [Probot Settings App](https://github.com/probot/settings). Changes to branch protection rules should be made through pull requests to this file, providing an audit trail and preventing configuration drift. + ## 🏗️ Project Structure ```