Maintaining Coding Standards with GitHub Protected Branches

Question

Pulumi · Accepted Answer

Maintaining coding standards is crucial for a team working on a project, and one way to enforce these standards in a GitHub repository is to set up protected branches. Protected branches ensure that certain conditions are met before code can be merged into the main branch, usually called `main` or `master`.

In Pulumi, we can automate the setup of protected branches using the `pulumi_github` package, which provides resources to interact with GitHub repositories. Below, we'll create a simple Pulumi program with Python that sets up a protected branch for a given repository.

The primary resource we will use is `BranchProtection`, which manages the protection settings of a branch. The branch protection rules we will define include the need for pull request reviews before merging, a signature requirement for commits, enforcement of the rules on repository administrators, and preventing force-pushes and deletions.

Here's how you can use Pulumi with Python to enforce these protections on your GitHub repository's main branch:

```python
import pulumi
import pulumi_github as github

# Replace these variables with your own repository and branch names
repo_name = "my-awesome-repo"
branch_name = "main"

# Instantiate a GitHub repository.
repo = github.Repository("repo",
    name=repo_name,
    description="Your repository description here",
    # Make sure this repository is already initialized or created manually
    # Alternatively, you can use the `auto_init` parameter to create a new repository
    # auto_init=True,
)

# Apply branch protection rules to the 'main' branch of the specified repository.
branch_protection = github.BranchProtection("main-branch-protection",
    repository_id=repo.node_id,
    pattern=branch_name,
    enforce_admins=True,
    allows_deletions=False,
    allows_force_pushes=False,
    require_signed_commits=True,
    required_linear_history=True,
    required_status_checks=github.BranchProtectionRequiredStatusCheckArgs(
        strict=True,
        contexts=["ci/travis-ci"]
    ),
    required_pull_request_reviews=github.BranchProtectionRequiredPullRequestReviewArgs(
        require_code_owner_reviews=True,
        required_approving_review_count=2 # Number of required approvals can be set as per requirement
    )
)

# Export the full repo name and the URL to access it
pulumi.export("repo_full_name", repo.full_name)
pulumi.export("repo_url", pulumi.Output.concat("https://github.com/", repo.full_name))
```

In this program:

1. We first import the necessary Pulumi and GitHub provider packages.
2. We specify the repository name and the branch we want to protect.
3. We use the `github.Repository` resource to reference an existing repository by its name; we assume it is already created.
4. We then use the `github.BranchProtection` resource to enforce branch protection rules on the "main" branch.
5. We set `enforce_admins` to `True` to enforce these rules on repository administrators.
6. We set `allows_deletions` and `allows_force_pushes` to `False` to prevent branch deletions and force-pushes, respectively.
7. We enable `require_signed_commits` and `required_linear_history` to mandate signed commits and a linear commit history.
8. We define `required_status_checks` with the name of the required status check context, such as a CI service like Travis CI.
9. We define `required_pull_request_reviews` with the number of required approving reviews and mandate reviews from code owners.

To execute this program, you'll need to have Pulumi installed and the GitHub provider configured with your GitHub token.

After the program is run:
- The URL to access the repository will be exported as `repo_url`.
- The full repository name will be exported as `repo_full_name`.

Please review the in-line comments for details on each step. This program sets up a robust process for code review and integrates with CI/CD systems, ensuring that only thoroughly reviewed and tested code makes it into your main branch.

For more information about the properties you can configure, check out the [BranchProtection](https://www.pulumi.com/registry/packages/github/api-docs/branchprotection/) documentation on the Pulumi website.