Protect release branches

[ggwpez]

All substrate branches with prefix polkadot-v and all Polkadot branches with prefix release-v should require approval from @coderobe or @chevdor.

I could not find such an option in the GitHub branch protection, but we need this since the release branches keep getting pushed without coordination.

### Tasks

[mordamax]

@ggwpez in gh team/enterprise plan they seem to have rulesets, which can make this happen. PR custom review, is only for PRs, and it can't prevent push or creation

this is test from https://github.com/paritytech-stg/polkadot-sdk/settings/rules/55406

@paritytech-ci @lovelaced could you please take a look and help to configure this ?

[coderobe]

This would be extremely useful, both accidental and intentional circumvention happens way too frequently. Whichever solution we have should allow @paritytech/release-engineering to push/approve

[lovelaced]

Right, if everyone agrees I can put this in place on both polkadot and substrate. There's a few more items I need to know the details of here:

[coderobe]

@lovelaced that looks good to me as-is

[lovelaced]

Okay, rules have been created and are enforcing. Please let me know if something isn't behaving as expected

[lovelaced]

Currently each is resolving to these branches being enforced under the rulesets:

polkadot:

substrate:

[coderobe]

i think you might have the targets the wrong way around

[lovelaced]

Oops so it is. Fixed

[coderobe]

Thanks 🙏

[ggwpez]

Looks like we cannot merge this now because of some rule https://github.com/paritytech/polkadot/pull/7571.

I think this "Only allow users with bypass permission to update matching refs" means that only Admins can actually merge anything, or?

[coderobe]

Looks like we cannot merge this now because of some rule paritytech/polkadot#7571.

I think this "Only allow users with bypass permission to update matching refs" means that only Admins can actually merge anything, or?

No, releng can :) merged ^^

[ggwpez]

Okay good, thanks!