Add branch protections to template repos to enforce .forgejo as the only source #3

Closed
opened 2026-05-25 02:38:49 -06:00 by Xeplosion · 2 comments
Owner

Type of chore

Tooling / CI

What needs doing and why?

Once the .forgejo mirror sync system is in place, template repo main branches should only ever receive changes via the automated mirror push from .forgejo. Direct pushes or PRs to main in template repos would bypass .forgejo as the source of truth and cause drift. Branch protection rules should be configured on each template repo (template-script, template-dotnet, template-node, template-python, template-php) to allow only the mirror/sync system to push to main, blocking all direct pushes including from maintainers. Any changes to template content must go through .forgejo main first.

Risk or impact

Once protections are in place, template content can no longer be hotfixed directly in a template repo — all changes must go through .forgejo. This is intentional but worth being aware of during incidents.

Additional context

No response

Checklist

  • I have described why this is worth doing now
  • I have noted any risk or impact on other work
### Type of chore Tooling / CI ### What needs doing and why? Once the `.forgejo` mirror sync system is in place, template repo `main` branches should only ever receive changes via the automated mirror push from `.forgejo`. Direct pushes or PRs to `main` in template repos would bypass `.forgejo` as the source of truth and cause drift. Branch protection rules should be configured on each template repo (`template-script`, `template-dotnet`, `template-node`, `template-python`, `template-php`) to allow only the mirror/sync system to push to `main`, blocking all direct pushes including from maintainers. Any changes to template content must go through `.forgejo` main first. ### Risk or impact Once protections are in place, template content can no longer be hotfixed directly in a template repo — all changes must go through `.forgejo`. This is intentional but worth being aware of during incidents. ### Additional context _No response_ ### Checklist - [x] I have described why this is worth doing now - [x] I have noted any risk or impact on other work
Author
Owner

Blocking on the .forgejo mirror sync system being designed and implemented (tracked separately). Branch protections that only allow the mirror to push to main cannot be configured until the mirror system exists and the service account or token it uses is known — otherwise locking down main would make the template repos permanently unwritable.

Blocking on the `.forgejo` mirror sync system being designed and implemented ([tracked separately](https://git.xegames.online/XeplosionGames/.forgejo/issues/2)). Branch protections that only allow the mirror to push to `main` cannot be configured until the mirror system exists and the service account or token it uses is known — otherwise locking down `main` would make the template repos permanently unwritable.
Author
Owner

Branch protection is in place on all template repos.

The protection rule on * uses whitelist restricted push with xeplosion as the only permitted pusher. This intentionally allows direct pushes from xeplosion in addition to the sync workflow — template branches have stack-specific files (.editorconfig, .gitignore, xegames.config.yml, scripts/validate.sh, etc.) that differ per stack and are edited directly rather than synced from main. Locking branches to PR-only would block that legitimate workflow.

The main branch on each template repo has a stricter rule on top: direct push disabled entirely, requiring a PR with xeplosion approval. The sync workflow authenticates via SYNC_TOKEN which is whitelisted as a push exception.

CODEOWNERS (.forgejo/CODEOWNERS) is tracked as part of the broader security hardening work in #6.

Closing as the protection model is implemented and intentional.

Branch protection is in place on all template repos. The protection rule on `*` uses **whitelist restricted push** with `xeplosion` as the only permitted pusher. This intentionally allows direct pushes from `xeplosion` in addition to the sync workflow — template branches have stack-specific files (`.editorconfig`, `.gitignore`, `xegames.config.yml`, `scripts/validate.sh`, etc.) that differ per stack and are edited directly rather than synced from `main`. Locking branches to PR-only would block that legitimate workflow. The `main` branch on each template repo has a stricter rule on top: direct push disabled entirely, requiring a PR with `xeplosion` approval. The sync workflow authenticates via `SYNC_TOKEN` which is whitelisted as a push exception. CODEOWNERS (`.forgejo/CODEOWNERS`) is tracked as part of the broader security hardening work in #6. Closing as the protection model is implemented and intentional.
Sign in to join this conversation.
No milestone
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Reference
XeplosionGames/.forgejo#3
No description provided.