docs: document rebase-before-merge protection (#1253 )

feat: codify rebase-before-merge protection (#1253 )
2026-04-15 09:59:17 +00:00 · 2026-04-15 09:59:15 +00:00 · 2026-04-15 09:59:12 +00:00 · 2026-04-15 09:59:10 +00:00
4 changed files with 86 additions and 23 deletions
--- a/.gitea/branch-protection/the-nexus.yml
+++ b/.gitea/branch-protection/the-nexus.yml
@@ -6,3 +6,4 @@ rules:
  require_ci_to_merge: false # CI runner dead (issue #915)
  block_force_pushes: true
  block_deletions: true
+  block_on_outdated_branch: true
--- a/.github/BRANCH_PROTECTION.md
+++ b/.github/BRANCH_PROTECTION.md
@@ -12,6 +12,7 @@ All repositories must enforce these rules on the `main` branch:
 | Require CI to pass | ⚠ Conditional | Only where CI exists |
 | Block force push | ✅ Enabled | Protect commit history |
 | Block branch deletion | ✅ Enabled | Prevent accidental deletion |
+| Require branch up-to-date before merge | ✅ Enabled | Surface conflicts before merge and force contributors to rebase |

 ## Default Reviewer Assignments

--- a/scripts/sync_branch_protection.py
+++ b/scripts/sync_branch_protection.py
@@ -4,48 +4,61 @@ Sync branch protection rules from .gitea/branch-protection/*.yml to Gitea.
 Correctly uses the Gitea 1.25+ API (not GitHub-style).
 """

+from __future__ import annotations
+
+import json
 import os
 import sys
-import json
 import urllib.request
+from pathlib import Path
+
 import yaml

 GITEA_URL = os.getenv("GITEA_URL", "https://forge.alexanderwhitestone.com")
 GITEA_TOKEN = os.getenv("GITEA_TOKEN", "")
 ORG = "Timmy_Foundation"
-CONFIG_DIR = ".gitea/branch-protection"
+PROJECT_ROOT = Path(__file__).resolve().parent.parent
+CONFIG_DIR = PROJECT_ROOT / ".gitea" / "branch-protection"


 def api_request(method: str, path: str, payload: dict | None = None) -> dict:
    url = f"{GITEA_URL}/api/v1{path}"
    data = json.dumps(payload).encode() if payload else None
-    req = urllib.request.Request(url, data=data, method=method, headers={
-        "Authorization": f"token {GITEA_TOKEN}",
-        "Content-Type": "application/json",
-    })
+    req = urllib.request.Request(
+        url,
+        data=data,
+        method=method,
+        headers={
+            "Authorization": f"token {GITEA_TOKEN}",
+            "Content-Type": "application/json",
+        },
+    )
    with urllib.request.urlopen(req, timeout=30) as resp:
        return json.loads(resp.read().decode())


-def apply_protection(repo: str, rules: dict) -> bool:
-    branch = rules.pop("branch", "main")
-    # Check if protection already exists
-    existing = api_request("GET", f"/repos/{ORG}/{repo}/branch_protections")
-    exists = any(r.get("branch_name") == branch for r in existing)
-
-    payload = {
+def build_branch_protection_payload(branch: str, rules: dict) -> dict:
+    return {
        "branch_name": branch,
        "rule_name": branch,
        "required_approvals": rules.get("required_approvals", 1),
        "block_on_rejected_reviews": rules.get("block_on_rejected_reviews", True),
        "dismiss_stale_approvals": rules.get("dismiss_stale_approvals", True),
        "block_deletions": rules.get("block_deletions", True),
-        "block_force_push": rules.get("block_force_push", True),
+        "block_force_push": rules.get("block_force_push", rules.get("block_force_pushes", True)),
        "block_admin_merge_override": rules.get("block_admin_merge_override", True),
        "enable_status_check": rules.get("require_ci_to_merge", False),
        "status_check_contexts": rules.get("status_check_contexts", []),
+        "block_on_outdated_branch": rules.get("block_on_outdated_branch", False),
    }

+
+def apply_protection(repo: str, rules: dict) -> bool:
+    branch = rules.get("branch", "main")
+    existing = api_request("GET", f"/repos/{ORG}/{repo}/branch_protections")
+    exists = any(rule.get("branch_name") == branch for rule in existing)
+    payload = build_branch_protection_payload(branch, rules)
+
    try:
        if exists:
            api_request("PATCH", f"/repos/{ORG}/{repo}/branch_protections/{branch}", payload)
@@ -53,8 +66,8 @@ def apply_protection(repo: str, rules: dict) -> bool:
            api_request("POST", f"/repos/{ORG}/{repo}/branch_protections", payload)
        print(f"✅ {repo}:{branch} synced")
        return True
-    except Exception as e:
-        print(f"❌ {repo}:{branch} failed: {e}")
+    except Exception as exc:
+        print(f"❌ {repo}:{branch} failed: {exc}")
        return False


@@ -62,15 +75,18 @@ def main() -> int:
    if not GITEA_TOKEN:
        print("ERROR: GITEA_TOKEN not set")
        return 1
+    if not CONFIG_DIR.exists():
+        print(f"ERROR: config directory not found: {CONFIG_DIR}")
+        return 1

    ok = 0
-    for fname in os.listdir(CONFIG_DIR):
-        if not fname.endswith(".yml"):
-            continue
-        repo = fname[:-4]
-        with open(os.path.join(CONFIG_DIR, fname)) as f:
-            cfg = yaml.safe_load(f)
-        if apply_protection(repo, cfg.get("rules", {})):
+    for cfg_path in sorted(CONFIG_DIR.glob("*.yml")):
+        repo = cfg_path.stem
+        with cfg_path.open() as fh:
+            cfg = yaml.safe_load(fh) or {}
+        rules = cfg.get("rules", {})
+        rules.setdefault("branch", cfg.get("branch", "main"))
+        if apply_protection(repo, rules):
            ok += 1

    print(f"\nSynced {ok} repo(s)")
--- a/tests/test_sync_branch_protection.py
+++ b/tests/test_sync_branch_protection.py
@@ -0,0 +1,45 @@
+from __future__ import annotations
+
+import importlib.util
+import sys
+from pathlib import Path
+
+import yaml
+
+PROJECT_ROOT = Path(__file__).parent.parent
+
+_spec = importlib.util.spec_from_file_location(
+    "sync_branch_protection_test",
+    PROJECT_ROOT / "scripts" / "sync_branch_protection.py",
+)
+_mod = importlib.util.module_from_spec(_spec)
+sys.modules["sync_branch_protection_test"] = _mod
+_spec.loader.exec_module(_mod)
+
+build_branch_protection_payload = _mod.build_branch_protection_payload
+
+
+def test_build_branch_protection_payload_enables_rebase_before_merge():
+    payload = build_branch_protection_payload(
+        "main",
+        {
+            "required_approvals": 1,
+            "dismiss_stale_approvals": True,
+            "require_ci_to_merge": False,
+            "block_deletions": True,
+            "block_force_push": True,
+            "block_on_outdated_branch": True,
+        },
+    )
+
+    assert payload["branch_name"] == "main"
+    assert payload["rule_name"] == "main"
+    assert payload["block_on_outdated_branch"] is True
+    assert payload["required_approvals"] == 1
+    assert payload["enable_status_check"] is False
+
+
+def test_the_nexus_branch_protection_config_requires_up_to_date_branch():
+    config = yaml.safe_load((PROJECT_ROOT / ".gitea" / "branch-protection" / "the-nexus.yml").read_text())
+    rules = config["rules"]
+    assert rules["block_on_outdated_branch"] is True
Author	SHA1	Message	Date
Alexander Whitestone	39cf447ee0	docs: document rebase-before-merge protection (#1253 ) Some checks are pending CI / test (pull_request) Waiting to run Details CI / validate (pull_request) Waiting to run Details Review Approval Gate / verify-review (pull_request) Waiting to run Details	2026-04-15 09:59:17 +00:00
Alexander Whitestone	fe5b9c8b75	feat: codify rebase-before-merge protection (#1253 )	2026-04-15 09:59:15 +00:00
Alexander Whitestone	871188ec12	feat: codify rebase-before-merge protection (#1253 )	2026-04-15 09:59:12 +00:00
Alexander Whitestone	9482403a23	wip: add rebase-before-merge protection tests	2026-04-15 09:59:10 +00:00