From 7f565fd2e4b7d353171d8c98a3439d418e5702c7 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 26 Jan 2026 23:01:12 +0000 Subject: [PATCH 1/3] Initial plan From 2d65f7fe0c44e98c2f77205f6d65dbc0d4c63cbc Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 26 Jan 2026 23:03:37 +0000 Subject: [PATCH 2/3] feat: add branch protection configuration file - Create .github/settings.yml with comprehensive branch protection rules - Define required status checks for main branch: * Build verification across Node 18, 20, 22 * Code quality checks (ESLint, TypeScript type checking) * Test coverage with regression detection * Examples testing * Security scanning (CodeQL, Trivy container scans) * PR title validation - Require 1 approving review - Enforce up-to-date branches before merge - Document configuration in CONTRIBUTING.md Closes #348 Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com> --- .github/settings.yml | 78 ++++++++++++++++++++++++++++++++++++++++++++ CONTRIBUTING.md | 16 +++++++++ 2 files changed, 94 insertions(+) create mode 100644 .github/settings.yml diff --git a/.github/settings.yml b/.github/settings.yml new file mode 100644 index 00000000..24780880 --- /dev/null +++ b/.github/settings.yml @@ -0,0 +1,78 @@ +# Repository settings managed by Probot Settings App +# https://github.com/probot/settings +# +# This file codifies branch protection rules, making them version controlled +# and preventing configuration drift during repository operations. + +repository: + # Repository metadata + name: gh-aw-firewall + description: 🔥 A network firewall for agentic workflows with domain whitelisting + homepage: https://githubnext.com/projects/agentic-workflows/ + topics: github, copilot, security, firewall, docker, squid, mcp + + # Features + has_issues: true + has_projects: false + has_wiki: false + has_downloads: true + + # Merge options + allow_squash_merge: true + allow_merge_commit: false + allow_rebase_merge: false + delete_branch_on_merge: true + + # Security + enable_automated_security_fixes: true + enable_vulnerability_alerts: true + +# Branch protection rules for main branch +branches: + - name: main + protection: + # Require pull request reviews before merging + required_pull_request_reviews: + required_approving_review_count: 1 + dismiss_stale_reviews: false + require_code_owner_reviews: false + require_last_push_approval: false + + # Require status checks to pass before merging + required_status_checks: + strict: true # Require branches to be up to date before merging + contexts: + # Build verification across Node versions + - "Build and Lint (Node 18)" + - "Build and Lint (Node 20)" + - "Build and Lint (Node 22)" + + # Code quality checks + - "ESLint" + + # TypeScript type checking + - "TypeScript Type Check" + + # Test coverage + - "Test Coverage Report" + + # Examples testing + - "Test Examples" + + # Security scanning - CodeQL + - "Analyze (javascript-typescript)" + - "Analyze (actions)" + + # Security scanning - Container images + - "Scan Agent Container" + - "Scan Squid Container" + + # PR title validation + - "PR Title Check" + + # Additional protections + enforce_admins: false # Allow admins to bypass for emergencies + required_linear_history: false + allow_force_pushes: false + allow_deletions: false + required_conversation_resolution: false diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 5a7044ff..964a3333 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -118,6 +118,22 @@ logger.success('Operation completed successfully'); - Address any feedback - Once approved, your PR will be merged +### Branch Protection + +The `main` branch is protected by required status checks defined in `.github/settings.yml`. All pull requests must: + +- Pass all required status checks: + - **Build verification** across Node 18, 20, and 22 + - **Code quality** checks (ESLint, TypeScript type checking) + - **Test coverage** with comparison against base branch + - **Examples testing** to validate real-world usage + - **Security scanning** (CodeQL analysis, Trivy container scans) + - **PR title validation** following Conventional Commits format +- Receive at least **1 approving review** from a maintainer +- Be **up to date** with the base branch before merging + +These rules are codified in `.github/settings.yml` and managed by the [Probot Settings App](https://github.com/probot/settings). Changes to branch protection rules should be made through pull requests to this file, providing an audit trail and preventing configuration drift. + ## 🏗️ Project Structure ``` From 7387e3ac9ad2910af4a73f0be2ab8fde802eb6b3 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 26 Jan 2026 23:04:28 +0000 Subject: [PATCH 3/3] fix: correct pr-title status check name in settings.yml The pr-title job doesn't define an explicit name field, so GitHub uses the job ID as the status check name. Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com> --- .github/settings.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/settings.yml b/.github/settings.yml index 24780880..b08b6c17 100644 --- a/.github/settings.yml +++ b/.github/settings.yml @@ -67,8 +67,8 @@ branches: - "Scan Agent Container" - "Scan Squid Container" - # PR title validation - - "PR Title Check" + # PR title validation (uses job ID as no name is defined) + - "pr-title" # Additional protections enforce_admins: false # Allow admins to bypass for emergencies