Branch Protection Setting for mage-os/github-actions should only be `main`

[Vinai]

Currently the branch protection rules on https://github.com/mage-os/github-actions/settings/branches are set to * by the terraform rules. I've temporarily changed it to main, but as far as I know that will be reverted the next time the terraform config is applied.

We need only main to be protected is so release-please-* branches can be force-pushed to by a bot. The bot automatically creates releases when commits are made to the main branch.
The branch protection rule * prevents this from working.

[sprankhub]

So what you say is that we only want to protect the respective default branch of a repository? This means that anyone with write access could then push branches to the repository without a fork again. Do we want this? This should at least be discussed and decided in the tech meeting IMHO.

We could also introduce another property for repositories in variables.tf and then handling this property in main.tf to exclude certain branches. I am not a big fan of having too many exceptions from the standard, though.

/cc @damienwebdev

[sprankhub]

Discussed in the tech meeting that we try to allow branch creation for the user mage-os-ci only. This should fix the issue, while still keeping the current protection rules.

[sprankhub]

@damienwebdev, can I somehow manually trigger the "Release Please" bot manually to test if it works again? How?

[damienwebdev]

@sprankhub https://github.com/mage-os/github-actions/actions/runs/6261779877 and then re-run failed

[sprankhub]

Unfortunately, this seems to be quite hard to do.

Adding mage-os-ci to "Allow specified actors to bypass required pull requests" does not work. Even though I expected this to work...

We could have multiple branch protection rules. However, this works quite weird and would be hard to do as the creation order is important:

If a repository has multiple protected branch rules that affect the same branches, the rules that include a specific branch name have the highest priority. If there is more than one protected branch rule that references the same specific branch name, then the branch rule created first will have higher priority. Protected branch rules that mention a special character, such as *, ?, or ], are applied in the order they were created, so older rules with these characters have a higher priority.

I do not have a good idea for now.