forked from github/safe-settings
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathorg-ruleset.yml
153 lines (142 loc) · 4.99 KB
/
org-ruleset.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
rulesets:
- name: demo
# Name of the rule
target: branch
# The target of the ruleset. Can be one of:
# - branch
# - tag
enforcement: disabled
# The enforcement level of the ruleset. `evaluate` allows admins to test
# rules before enforcing them.
# - disabled
# - active
# - evaluate
bypass_actors:
# The actors that can bypass the rules in this ruleset
- actor_id: 3974045
actor_type: Team
# type: The type of actor that can bypass a ruleset
# - RepositoryRole
# - Team
# - Integration
# - OrganizationAdmin
bypass_mode: pull_request
# When the specified actor can bypass the ruleset. `pull_request`
# means that an actor can only bypass rules on pull requests.
# - always
# - pull_request
- actor_id: 1
actor_type: OrganizationAdmin
bypass_mode: always
- actor_id: 7898
actor_type: RepositoryRole
bypass_mode: always
- actor_id: 210920
actor_type: Integration
bypass_mode: always
conditions:
ref_name:
# Parameters for a repository ruleset ref name condition
include: ["~DEFAULT_BRANCH"]
# Array of ref names or patterns to include. One of these
# patterns must match for the condition to pass. Also accepts
# `~DEFAULT_BRANCH` to include the default branch or `~ALL` to
# include all branches.
exclude: ["refs/heads/oldmaster"]
# Array of ref names or patterns to exclude. The condition
# will not pass if any of these patterns match.
repository_name:
include: ["test*"]
# Array of repository names or patterns to include.
# One of these patterns must match for the condition
# to pass. Also accepts `~ALL` to include all
# repositories.
exclude: ["test","test1"]
# Array of repository names or patterns to exclude. The
# condition will not pass if any of these patterns
# match.
protected: true
# Whether renaming of target repositories is
# prevented.
rules:
- type: creation
- type: update
- type: update_allows_fetch_and_merge
- type: deletion
- type: required_linear_history
- type: required_signatures
- type: required_deployments
parameters:
required_deployment_environments: ["test"]
- type: pull_request
parameters:
dismiss_stale_reviews_on_push: true
# New, reviewable commits pushed will dismiss previous pull
# request review approvals.
require_code_owner_review: true
# Require an approving review in pull requests that modify
# files that have a designated code owner
require_last_push_approval: true
# Whether the most recent reviewable push must be approved
# by someone other than the person who pushed it.
required_approving_review_count: 10
# The number of approving reviews that are required before a
# pull request can be merged.
required_review_thread_resolution: true
# All conversations on code must be resolved before a pull
# request can be merged.
- type: required_status_checks
# Choose which status checks must pass before branches can be merged
# into a branch that matches this rule. When enabled, commits must
# first be pushed to another branch, then merged or pushed directly
# to a branch that matches this rule after status checks have
# passed.
parameters:
strict_required_status_checks_policy: false
# Whether pull requests targeting a matching branch must be
# tested with the latest code. This setting will not take
# effect unless at least one status check is enabled.
required_status_checks:
- context: CodeQL
integration_id: 1234
- context: GHAS Compliance
integration_id: 1234
- type: commit_message_pattern
parameters:
name: test commit_message_pattern
# required:
# - operator
# - pattern
negate: true
operator: starts_with
# The operator to use for matching.
# - starts_with
# - ends_with
# - contains
# - regex
pattern: skip*
# The pattern to match with.
- type: commit_author_email_pattern
parameters:
name: test commit_author_email_pattern
negate: false
operator: regex
pattern: "^.*@example.com$"
- type: committer_email_pattern
parameters:
name: test committer_email_pattern
negate: false
operator: regex
pattern: "^.*@example.com$"
- type: branch_name_pattern
parameters:
name: test branch_name_pattern
negate: false
operator: regex
pattern: ".*\/.*"
- type: "tag_name_pattern"
parameters:
name: test tag_name_pattern
negate: false
operator: regex
pattern: ".*\/.*"