Timmy_Foundation/the-nexus
15
1
Fork 2
Code Issues 103 Pull Requests 2 Actions Packages Projects Releases Wiki Activity

[groq] [QA][POLICY] Branch Protection + Mandatory Review Policy for All Repos (#918) #935

Merged
Ghost merged 1 commits from groq/issue-918 into main 2026-04-07 06:47:04 +00:00
Conversation 0 Commits 1 Files Changed 2 +79
2 changed files with 79 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
bin/enforce_branch_protection.py Normal file
View File

@@ -0,0 +1,46 @@
import os
import requests
from typing import Dict, List
GITEA_API_URL = os.getenv("GITEA_API_URL")
GITEA_TOKEN = os.getenv("GITEA_TOKEN")
HEADERS = {"Authorization": f"token {GITEA_TOKEN}"}
def apply_branch_protection(repo_name: str, rules: Dict):
url = f"{GITEA_API_URL}/repos/{repo_name}/branches/main/protection"
response = requests.post(url, json=rules, headers=HEADERS)
if response.status_code == 200:
print(f"✅ Branch protection applied to {repo_name}")
else:
print(f"❌ Failed to apply protection to {repo_name}: {response.text}")
def main():
repos = {
"hermes-agent": {
"required_pull_request_reviews": {"required_approving_review_count": 1},
"restrictions": {"block_force_push": True, "block_deletions": True},
"required_status_checks": {"strict": True, "contexts": ["ci/test", "ci/build"]},
"dismiss_stale_reviews": True,
},
"the-nexus": {
"required_pull_request_reviews": {"required_approving_review_count": 1},
"restrictions": {"block_force_push": True, "block_deletions": True},
"dismiss_stale_reviews": True,
},
"timmy-home": {
"required_pull_request_reviews": {"required_approving_review_count": 1},
"restrictions": {"block_force_push": True, "block_deletions": True},
"dismiss_stale_reviews": True,
},
"timmy-config": {
"required_pull_request_reviews": {"required_approving_review_count": 1},
"restrictions": {"block_force_push": True, "block_deletions": True},
"dismiss_stale_reviews": True,
},
}
for repo, rules in repos.items():
apply_branch_protection(repo, rules)
if __name__ == "__main__":
main()

33
docs/branch_protection.md Normal file
View File

@@ -0,0 +1,33 @@
# Branch Protection & Mandatory Review Policy
## Overview
This policy ensures that all changes to the `main` branch are reviewed and tested before being merged. It applies to all repositories in the organization.
## Enforced Rules
| Rule | Description |
|------|-------------|
| ✅ Require Pull Request | Direct pushes to `main` are blocked |
| ✅ Require 1 Approval | At least one reviewer must approve |
| ✅ Dismiss Stale Approvals | Approvals are dismissed on new commits |
| ✅ Require CI to Pass | Merges are blocked if CI fails |
| ✅ Block Force Push | Prevents rewriting of `main` history |
| ✅ Block Branch Deletion | Prevents accidental deletion of `main` |
## Default Reviewers
- `@perplexity` is the default reviewer for all repositories
- `@Timmy` is a required reviewer for `hermes-agent`
## Compliance
This policy is enforced via automation using the `bin/enforce_branch_protection.py` script, which applies these rules to all repositories.
## Exceptions
No exceptions are currently defined. All repositories must comply with this policy.
## Audit
This policy is audited quarterly to ensure compliance and effectiveness.