use rulesets in the rust repo

[marcoieni]

Is there a preferred moment when we want to merge this?

[github-actions]

Dry-run check results

[WARN  rust_team::sync] sync-team is running in dry mode, no changes will be applied.
[INFO  rust_team::sync] synchronizing crates-io
[INFO  rust_team::sync] synchronizing github
[INFO  rust_team::sync] 💻 Repo Diffs:
    📝 Editing repo 'rust-lang/rust':
      Permission Changes:
        Giving team 'rust-timer' write permission
      Rulesets:
          Creating 'main'
            Include Branches: ["refs/heads/main"]
            Bypass Actors: [RulesetBypassActor { actor_id: 278306, actor_type: Integration, bypass_mode: Always }]
            Restrict updates: true
          Creating 'main - force-push'
            Include Branches: ["refs/heads/main"]
          Creating 'stable'
            Include Branches: ["refs/heads/stable"]
            Bypass Actors: [RulesetBypassActor { actor_id: 278306, actor_type: Integration, bypass_mode: Always }, RulesetBypassActor { actor_id: 217112, actor_type: Integration, bypass_mode: Always }]
            Restrict updates: true
          Creating 'stable - force-push'
            Include Branches: ["refs/heads/stable"]
            Bypass Actors: [RulesetBypassActor { actor_id: 217112, actor_type: Integration, bypass_mode: Always }]
          Creating 'beta'
            Include Branches: ["refs/heads/beta"]
            Bypass Actors: [RulesetBypassActor { actor_id: 278306, actor_type: Integration, bypass_mode: Always }, RulesetBypassActor { actor_id: 217112, actor_type: Integration, bypass_mode: Always }]
            Restrict updates: true
          Creating 'beta - force-push'
            Include Branches: ["refs/heads/beta"]
            Bypass Actors: [RulesetBypassActor { actor_id: 217112, actor_type: Integration, bypass_mode: Always }]
          Creating '*'
            Include Branches: ["refs/heads/*"]
            Bypass Actors: [RulesetBypassActor { actor_id: 217112, actor_type: Integration, bypass_mode: Always }]
            Required approvals: 1
            Restrict updates: true
          Creating '*/**/*'
            Include Branches: ["refs/heads/*/**/*"]
            Restrict updates: true
          Creating 'cargo_update'
            Include Branches: ["refs/heads/cargo_update"]
          Creating 'automation/bors/try'
            Include Branches: ["refs/heads/automation/bors/try"]
            Bypass Actors: [RulesetBypassActor { actor_id: 278306, actor_type: Integration, bypass_mode: Always }]
            Restrict updates: true
          Creating 'automation/bors/try-merge'
            Include Branches: ["refs/heads/automation/bors/try-merge"]
            Bypass Actors: [RulesetBypassActor { actor_id: 278306, actor_type: Integration, bypass_mode: Always }]
            Restrict updates: true
          Creating 'automation/bors/auto'
            Include Branches: ["refs/heads/automation/bors/auto"]
            Bypass Actors: [RulesetBypassActor { actor_id: 278306, actor_type: Integration, bypass_mode: Always }]
            Restrict updates: true
          Creating 'automation/bors/auto-merge'
            Include Branches: ["refs/heads/automation/bors/auto-merge"]
            Bypass Actors: [RulesetBypassActor { actor_id: 278306, actor_type: Integration, bypass_mode: Always }]
            Restrict updates: true
          Creating 'try-perf'
            Include Branches: ["refs/heads/try-perf"]
            Bypass Actors: [RulesetBypassActor { actor_id: 16787004, actor_type: Team, bypass_mode: Always }]
            Restrict updates: true
          Creating 'perf-tmp'
            Include Branches: ["refs/heads/perf-tmp"]
            Bypass Actors: [RulesetBypassActor { actor_id: 16787004, actor_type: Team, bypass_mode: Always }]
            Restrict updates: true

[marcoieni]

Backup (taken automatically with https://github.com/marcoieni/multicheese in case you are curious!)

[marcoieni]

From https://docs.github.com/en/enterprise-cloud@latest/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets#about-rulesets-and-protected-branches:

Unlike protection rules, multiple rulesets can apply at the same time, so you can be confident that every rule targeting a branch in your repository will be evaluated when someone interacts with that branch

I removed this because we need multiple rules to interact with the same branch (different bypass list for normal push and force push).

[Kobzol]

In that case we should make the name required when there are multiple identical patterns, because we used the pattern as an identifier.

[marcoieni]

Here's how I tested the "stable" and "stable - force-pushes" rules.

• I created a repository in my test organization: https://github.com/marco-test-org/ruleset-test
• I created two rules

The user in the test-team was able to push to the repository but not to force-push. See marco-test-org/ruleset-test#1

[marcoieni]

There's one issue:
In the try-perf branch, the user rust-timer is allowed to push.
In rulesets, only teams and github apps can be allowed to push.
Should we create a team for rust-timer?
Another approach would be converting rust-timer to a github app but I'm not sure how difficult it is.

[Kobzol]

We are relatively close to making the unrolled PRs by bors, instead of rustc-perf. If this can wait a few weeks, rust-timer will no longer need that access.

[marcoieni]

We are relatively close to making the unrolled PRs by bors, instead of rustc-perf. If this can wait a few weeks, rust-timer will no longer need that access.

#2343 is a small change that can be reverted easily. Since this is the only blocker to have rulesets in the rust I'm in favor of creating the team. What do you think? 🤔

[Kobzol]

Sure, go ahead, it's a small change 👍

[marcoieni]

this function is only two lines but I left it like this to minimize the git diff of the PR.
We could inline the construct_ruleset free function later

[marcoieni]

this piece of code was moved up

[Kobzol]

I don't understand why we need two separate branch protections to prevent force pushes. Force pushes should be disabled for everyone, even for bors.

[marcoieni]

Force pushes should be disabled for everyone, even for bors.

That's what the main - force-push rule does. It prevents everyone (including bors) to force push.
Bors is in the main rule, so that rule doesn't apply to bors. To restrict bors, we need another rule where bors isn't in the bypass list.

[Kobzol]

Ah, I see, I forgot about the other branch protection. That's quite stupid that rulesets work like this, tbh 😆 It would be better if we could bypass only specific properties.. but I understand that would make the options more complicated.

It's quite non-obvious though, and it seems hard to ensure that the other branch protection don't enable something that we don't want, hmm.

[marcoieni]

It's quite non-obvious though, and it seems hard to ensure that the other branch protection don't enable something that we don't want, hmm.

Yeah, it requires a different mindset than before a bit.

[Kobzol]

Wait, but if the force push ruleset requires a PR by default, doesn't that mean that it will require a PR also for bors?

[marcoieni]

yes, you are right, in my test I didn't have "requires a PR" in the settings.
Probably we should add a third rule related to main 😅

[Kobzol]

Not a third rule, just disable requiring PRs here.

[marcoieni]

With "here" you mean in the "main - force push"?
I think you are right!
Because "main" already prevent everyone from opening PRs.
I'll do it.

[marcoieni]

I did the same for stable and beta as well.

[Kobzol]

What does prevent-update actually do? Any why isn't it the default?

[marcoieni]

From https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/available-rules-for-rulesets#restrict-updates:

If selected, only users with bypass permissions can push to branches or tags whose name matches the pattern you specify.

At the moment it's not enabled by default. I will raise a PR to make it the default.

[Kobzol]

Hmm, it seems that the mental model of branch protections and rulesets quite diverges here. I guess that prevent-update = true should be automatically set by pr-required = true?

[marcoieni]

Yeah the fact that you both have "restrict updates" and "require a pull request before merging" as possible rules is weird. I think it makes sense for tags, but still..
I will raise a PR

[marcoieni]

I think we can resolve this after #2346 and #2348

[marcoieni]

We added "allow force push" to the cargo_update branch. See #t-infra > cargo_update branch protection broken

[ubiratansoares]

I've checked all screenshots and compared side-by-side with the new config. Looks Ok to me. Perhaps @Kobzol wants to confirm whether we are good to go from his side as well.

I think it'd be nice spreading the word about this PR on T-infra/annoucements.

[Kobzol]

I realized that to mirror the previous behavior of branch protections, having a non-empty list of allowed-merge-apps should probably imply prevent-update = true. But that's non-blocking, we can do that later.

[Kobzol]

Suggested change

	# This allows bors to push without opening a PR.
	# This allows promote-release to push without opening a PR.

[marcoieni]

no, I meant bors!
The stable - force-push branch protection is there to restrict the behavior of bors.
promote-release doesn't have any restrictions because it is in all the allowed lists, so it could even delete the branch.

[rustbot]

This PR was rebased onto a different main commit. Here's a range-diff highlighting what actually changed.

Rebasing is a normal part of keeping PRs up to date, so no action is needed—this note is just to help reviewers.

[rustbot]

☔ The latest upstream changes (possibly #2355) made this pull request unmergeable. Please resolve the merge conflicts.