Add branch protections to template repos to enforce .forgejo as the only source #3
Labels
No labels
Compat/Breaking
Compat/Deprecation
Kind
Bug
Kind
Chore
Kind
Documentation
Kind
Enhancement
Kind
Feature
Kind
Investigation
Kind
Question
Kind
Security
Kind
Testing
Meta/Good First Issue
Meta/Help Wanted
Meta/Stale
Priority
Critical
Priority
High
Priority
Low
Priority
Medium
Resolution
Confirmed
Resolution
Duplicate
Resolution
Invalid
Resolution
Won't Fix
Status
Abandoned
Status
Blocked
Status
Needs More Info
Status
Needs Triage
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Depends on
#2 Add sync.yml workflow to propagate workflow updates across repos
XeplosionGames/.forgejo
Reference
XeplosionGames/.forgejo#3
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Type of chore
Tooling / CI
What needs doing and why?
Once the
.forgejomirror sync system is in place, template repomainbranches should only ever receive changes via the automated mirror push from.forgejo. Direct pushes or PRs tomainin template repos would bypass.forgejoas the source of truth and cause drift. Branch protection rules should be configured on each template repo (template-script,template-dotnet,template-node,template-python,template-php) to allow only the mirror/sync system to push tomain, blocking all direct pushes including from maintainers. Any changes to template content must go through.forgejomain first.Risk or impact
Once protections are in place, template content can no longer be hotfixed directly in a template repo — all changes must go through
.forgejo. This is intentional but worth being aware of during incidents.Additional context
No response
Checklist
Blocking on the
.forgejomirror sync system being designed and implemented (tracked separately). Branch protections that only allow the mirror to push tomaincannot be configured until the mirror system exists and the service account or token it uses is known — otherwise locking downmainwould make the template repos permanently unwritable.Branch protection is in place on all template repos.
The protection rule on
*uses whitelist restricted push withxeplosionas the only permitted pusher. This intentionally allows direct pushes fromxeplosionin addition to the sync workflow — template branches have stack-specific files (.editorconfig,.gitignore,xegames.config.yml,scripts/validate.sh, etc.) that differ per stack and are edited directly rather than synced frommain. Locking branches to PR-only would block that legitimate workflow.The
mainbranch on each template repo has a stricter rule on top: direct push disabled entirely, requiring a PR withxeplosionapproval. The sync workflow authenticates viaSYNC_TOKENwhich is whitelisted as a push exception.CODEOWNERS (
.forgejo/CODEOWNERS) is tracked as part of the broader security hardening work in #6.Closing as the protection model is implemented and intentional.