From 8faca71c85c76b86dad93e05ac1c069e974b6138 Mon Sep 17 00:00:00 2001 From: Michael Mainer Date: Fri, 13 Oct 2023 15:32:23 -0700 Subject: [PATCH 1/3] chore: remove unused jit.yml policy file --- .github/policies/jit.yml | 13 ------------- 1 file changed, 13 deletions(-) delete mode 100644 .github/policies/jit.yml diff --git a/.github/policies/jit.yml b/.github/policies/jit.yml deleted file mode 100644 index d8b2978c..00000000 --- a/.github/policies/jit.yml +++ /dev/null @@ -1,13 +0,0 @@ -name: JIT_Access -description: Policy for admin JIT for repos in this org - -resource: repository - -configuration: - jitAccess: - enabled: true - maxHours: 2 - approvers: - requestors: - role: write - users: From 0f9583f599299b321c5d2bc2f9574488b3be776b Mon Sep 17 00:00:00 2001 From: Michael Mainer Date: Fri, 13 Oct 2023 15:36:36 -0700 Subject: [PATCH 2/3] chore: add branch protection policy --- .github/policies/m365-developer-proxy-branch-protection.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 .github/policies/m365-developer-proxy-branch-protection.yml diff --git a/.github/policies/m365-developer-proxy-branch-protection.yml b/.github/policies/m365-developer-proxy-branch-protection.yml new file mode 100644 index 00000000..e69de29b From a7df413fee57d44fe0830b538ac3cd8d69a37b0f Mon Sep 17 00:00:00 2001 From: Michael Mainer Date: Fri, 13 Oct 2023 15:37:18 -0700 Subject: [PATCH 3/3] chore: add branch protection policy --- ...m365-developer-proxy-branch-protection.yml | 44 +++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/.github/policies/m365-developer-proxy-branch-protection.yml b/.github/policies/m365-developer-proxy-branch-protection.yml index e69de29b..13a9edd1 100644 --- a/.github/policies/m365-developer-proxy-branch-protection.yml +++ b/.github/policies/m365-developer-proxy-branch-protection.yml @@ -0,0 +1,44 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +# File initially created using https://github.com/MIchaelMainer/policyservicetoolkit/blob/main/branch_protection_export.ps1. + +name: m365-developer-proxy-branch-protection +description: Branch protection policy for the m365-developer-proxy repository +resource: repository +configuration: + branchProtectionRules: + + - branchNamePattern: main + # This branch pattern applies to the following branches: + # main + + # Specifies whether this branch can be deleted. boolean + allowsDeletions: false + # Specifies whether forced pushes are allowed on this branch. boolean + allowsForcePushes: false + # Specifies whether new commits pushed to the matching branches dismiss pull request review approvals. boolean + dismissStaleReviews: true + # Specifies whether admins can overwrite branch protection. boolean + isAdminEnforced: false + # Indicates whether "Require a pull request before merging" is enabled. boolean + requiresPullRequestBeforeMerging: true + # Specifies the number of pull request reviews before merging. int (0-6). Should be null/empty if PRs are not required + requiredApprovingReviewsCount: 1 + # Require review from Code Owners. Requires requiredApprovingReviewsCount. boolean + requireCodeOwnersReview: true + # Are commits required to be signed. boolean. TODO: all contributors must have commit signing on local machines. + requiresCommitSignatures: false + # Are conversations required to be resolved before merging? boolean + requiresConversationResolution: true + # Are merge commits prohibited from being pushed to this branch. boolean + requiresLinearHistory: false + # Required status checks to pass before merging. Values can be any string, but if the value does not correspond to any existing status check, the status check will be stuck on pending for status since nothing exists to push an actual status + requiredStatusChecks: + - CodeQL + # Require branches to be up to date before merging. boolean + requiresStrictStatusChecks: true + # Indicates whether there are restrictions on who can push. boolean. Should be set with whoCanPush. + restrictsPushes: false + # Restrict who can dismiss pull request reviews. boolean + restrictsReviewDismissals: false \ No newline at end of file