Allow bypassing branch protection for dart_wot

[JKRhb]

For dart_wot, I want to automate the release procedure and let GitHub Actions automatically generate new release notes and bump the version number of the package. However, for security reasons, apparently you need to add a personal access token to actually let the GitHub Actions workflows run for Pull Requests, causing the PRs to not be mergable in the current setup due to required checks that don't get triggered.

As a quick workaround, this PR would give me privileges to bypass the branch protection rules if needed. I would revert this change once I have a personal access token in place that can be used for this purpose. By the way: Are there any best practices to create personal access tokens for Eclipse Projects?

Thanks a lot :)

[eclipse-otterdog[bot]]

This is your friendly self-service bot.

Thank you for raising a pull request to update the configuration of your GitHub organization. You can manually add reviewers to this PR to eventually enable auto-merging.

The following conditions need to fulfilled for auto-merging to be available:

• valid configuration
• approved by a project lead
• does not require any secrets
• does not update settings only accessible via the GitHub Web UI
• does not remove any resource

Otterdog commands and options

You can trigger otterdog actions by commenting on this PR: - `/otterdog team-info` checks the team / org membership for the PR author - `/otterdog validate` validates the configuration change - `/otterdog validate info` validates the configuration change, printing also validation infos - `/otterdog check-sync` checks if the base ref is in sync with live settings - `/otterdog merge` merges and applies the changes if the PR is eligible for auto-merging (only accessible for the author) - `/otterdog done` notifies the self-service bot that a required manual apply operation has been performed (only accessible for members of the admin team) - `/otterdog apply` re-apply a previously failed attempt (only accessible for members of the admin team)

[eclipse-otterdog[bot]]

This is your friendly self-service bot.

The author (JKRhb) of this PR is associated with this organization in the role of MEMBER.

Additionally, JKRhb is a member of the following teams:

• iot-thingweb-committers

[eclipse-otterdog[bot]]

This is your friendly self-service bot. Please find below the validation of the requested configuration changes:

Diff for 5aba329f91ad8045740bb3416b4bee1df723116b

```diff Organization iot.thingweb[id=eclipse-thingweb] ╷ │ Warning: branch_protection_rule[pattern="main", repository="dart_wot"] has 'requires_pull_request' disabled but 'bypass_pull_request_allowances' is set to '['@JKRhb']', setting will be ignored. ╵ Plan: 0 to add, 0 to change, 0 to delete. ```

[eclipse-otterdog[bot]]

This is your friendly self-service bot. The current configuration is in-sync with the live settings. :rocket:

[eclipse-otterdog[bot]]

This is your friendly self-service bot. Please find below the validation of the requested configuration changes:

Diff for b380870e4cc82f79182a6e0fcdf73ea1072b8a57

```diff Organization iot.thingweb[id=eclipse-thingweb] ╷ │ Error: branch_protection_rule[pattern="main", repository="dart_wot"] has 'requires_pull_request' enabled but 'required_approving_review_count' is not set (must be set to a non negative number). ╵ Planning aborted due to validation errors. ```

[eclipse-otterdog[bot]]

This is your friendly self-service bot. The current configuration is in-sync with the live settings. :rocket:

[eclipse-otterdog[bot]]

This is your friendly self-service bot. Please find below the validation of the requested configuration changes:

Diff for b3e98313f1388bbcd8675979b07c9f9ff696e389

```diff Organization iot.thingweb[id=eclipse-thingweb] ! branch_protection_rule[pattern="main", repository="dart_wot"] { ! bypass_pull_request_allowances = "[]" -> "['@JKRhb']" ! required_approving_review_count = null -> "1" ! requires_pull_request = false -> true ! } Plan: 0 to add, 3 to change, 0 to delete. ```

[eclipse-otterdog[bot]]

This is your friendly self-service bot. The current configuration is in-sync with the live settings. :rocket:

[JKRhb]

Thanks to @eclipse-thingweb-bot, I noticed a few things I had to fix for this updated configuration to work. I updated the PR accordingly.

[netomi]

the best practice to automate releases using workflows would be the following:

• setup the account to do the commits in the release workflow
  • name "eclipse-[project-shortname]-bot: in your case eclipse-thingweb-bot
  • email "[project-shortname]-bot@eclipse.org: in your case thingweb-bot@eclipse.org
• inject a token of the respective bot user to be used (created by us)
• add a bypass rule for the bot user to any branch protection rule (not really necessary as the bot is an admin account, but that makes the intent clearer and in case you enforce admins on branch protection rules as well)

Here is some example:

workflow config:

Otterdog itself: https://github.com/eclipse-csi/otterdog/blob/main/.github/workflows/release.yml Xpanse: https://github.com/eclipse-xpanse/xpanse/blob/main/.github/workflows/release.yml

otterdog config:

https://github.com/eclipse-xpanse/.eclipsefdn/blob/main/otterdog/eclipse-xpanse.jsonnet#L157-L159 https://github.com/eclipse-xpanse/.eclipsefdn/blob/main/otterdog/eclipse-xpanse.jsonnet#L164-L173

For the otterdog repo we have not setup a branch protection rule yet, but it will follow the same config as for xpanse.

Its up to you how you trigger such a release. Some people add a tag which then triggers the release workflow. I prefer to do it manually and then enter the release version that I want to release. The otterdog release workflow is then able to bump the version number after the release depending on what you select during the manual trigger.

[netomi]

Hmm, I see now that you have some required status checks. There is a shortcoming of branch protection rules such that even when you add a user to the bypass list, you will still not be able to push to the branch if the status checks are not attached to the commit (which will certainly not happen as these are only triggered when a PR is created). The workaround is to either disable status checks (which is ofc painful), or to use rulesets, which offer the same functionality as branch protection rules, but their bypass mechanism also works for status checks.

Example is here:

https://github.com/jetty/.eclipsefdn/blob/main/otterdog/jetty.jsonnet#L312-L332

[JKRhb]

Thank you for your detailed response, @netomi! :) If you could add the token for the bot to the dart_wot repository as a secret, then I think that already would already solve the original issue and this PR would become obsolete, as the Thingweb bot should probably be able to trigger PR workflow runs.

[eclipse-otterdog[bot]]

This is your friendly self-service bot. Please find below the validation of the requested configuration changes:

Diff for 72e4e0e2cc69cfd7831dd10a5af9860bc8435a38

```diff Organization iot.thingweb[id=eclipse-thingweb] + add repo_secret[name="BOT_TOKEN", repository="dart_wot"] { + name = "BOT_TOKEN" + value = "pass:bots/iot.thingweb/github.com/project-token" + } ! branch_protection_rule[pattern="main", repository="dart_wot"] { ! bypass_pull_request_allowances = "[]" -> "['@JKRhb']" ! required_approving_review_count = null -> "1" ! requires_pull_request = false -> true ! } Plan: 1 to add, 3 to change, 0 to delete. ```

Warnings

• some of requested changes require secrets, need to apply these changes manually

cc @eclipse-thingweb/eclipsefdn-security

cc @eclipse-thingweb/eclipsefdn-releng

[eclipse-otterdog[bot]]

This is your friendly self-service bot. The current configuration is in-sync with the live settings. :rocket:

[netomi]

I have added a BOT_TOKEN secret to this PR.

The other changes are still useful, they basically require you to create a PR for each change on the main branch and require at least 1 approval. You can still merge the PR as you are in the bypass list, but you will need to create a PR. Direct pushes to the main branch will not work anymore.

[eclipse-otterdog[bot]]

This is your friendly self-service bot.

The changes could not be applied successfully, please check the output:

Organization iot.thingweb[id=eclipse-thingweb]
╷
│ Error: failed to load current configuration
│
│    failed running graphql query 'get-branch-protection-rules.gql': {"message": "We couldn't respond to your request in time. Sorry about that. Please try resubmitting your request and contact us if the problem persists."}
╵

cc @eclipse-thingweb/eclipsefdn-security

cc @eclipse-thingweb/eclipsefdn-releng

[JKRhb]

Thank you very much! :)

[netomi]

/otterdog done

[eclipse-otterdog[bot]]

This is your friendly self-service bot. The PR has been marked as being completed.