restrict tagging in bazel_registry #107

AlexanderLanin · 2025-12-03T12:07:25Z

Attempt to restrict tagging to a subset of committers.

Using bazel_registry here, because we don't use tags in that repo. So we can use it for testing this restriction.

AlexanderLanin · 2025-12-03T12:10:34Z

/otterdog validate info

Copilot

Pull request overview

This PR introduces tag protection functionality to the bazel_registry repository as a test case for restricting tagging operations to specific committers. The implementation adds a reusable block_tagging function that creates GitHub repository rulesets to prevent unauthorized tag creation, deletion, and updates.

Key changes:

Added block_tagging helper function to create tag protection rulesets with configurable patterns and bypass actors
Applied tag protection to bazel_registry repo restricting tag operations to infrastructure maintainers
Enhanced code documentation with comments explaining review rule configurations

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

otterdog/eclipse-score.jsonnet

AlexanderLanin · 2025-12-03T12:16:03Z

/otterdog validate

eclipse-otterdog · 2025-12-03T12:18:52Z

Thank you for raising a pull request to update the configuration of your GitHub organization.
You can manually add reviewers to this PR to eventually enable auto-merging.

The following conditions need to fulfilled for auto-merging to be available:

valid configuration
approved by a project lead
does not require any secrets
does not update settings only accessible via the GitHub Web UI
does not remove any resource

Otterdog commands and options

You can trigger otterdog actions by commenting on this PR:

/otterdog team-info checks the team / org membership for the PR author
/otterdog validate validates the configuration change
/otterdog validate info validates the configuration change, printing also validation infos
/otterdog check-sync checks if the base ref is in sync with live settings
/otterdog merge merges and applies the changes if the PR is eligible for auto-merging (only accessible for the author)
/otterdog done notifies the self-service bot that a required manual apply operation has been performed (only accessible for members of the admin team)
/otterdog apply re-apply a previously failed attempt (only accessible for members of the admin team)

eclipse-otterdog · 2025-12-03T12:18:56Z

The author (AlexanderLanin) of this PR is associated with this organization in the role of MEMBER.

Additionally, AlexanderLanin is a member of the following teams:

AlexanderLanin · 2025-12-03T15:27:30Z

rebased

AlexanderLanin · 2025-12-03T16:12:17Z

rebased again; pypi environment was introduced in #104

eclipse-otterdog · 2025-12-03T16:12:23Z

Please find below the validation of the requested configuration changes:

Diff for 229c777

Project automotive.score[github_id=eclipse-score]
  there have been 29 validation infos, enable verbose output to display them.

+  add repo_ruleset[name="tags-protection", repository=bazel_registry] {
+    allows_creations           = false
+    allows_deletions           = false
+    allows_force_pushes        = false
+    allows_updates             = false
+    bypass_actors              = [
+      "@eclipse-score-bot"
+      "@eclipse-score/infrastructure-maintainers"
+    ],
+    enforcement                = "active"
+    exclude_refs               = []
+    include_refs               = [
+      "refs/tags/*"
+    ],
+    name                       = "tags-protection"
+    requires_commit_signatures = false
+    requires_deployments       = false
+    requires_linear_history    = false
+    target                     = "tag"
+  }
  
  Plan: 1 to add, 0 to change, 0 to delete.

eclipse-otterdog · 2025-12-03T16:13:12Z

Warning

The current configuration is out-of-sync with the live settings:

Diff to live settings

Project automotive.score[github_id=eclipse-score]
  there have been 29 validation infos, enable verbose output to display them.

  
!   environment[name="pypi", repository=dash-license-scan] {
!     reviewers = [
+      "@eclipse-score/infrastructure-maintainers"
!     ]
!   }

  
!   environment[name="pypi", repository=tools] {
!     reviewers = [
+      "@eclipse-score/infrastructure-maintainers"
!     ]
!   }
  
  Plan: 0 to add, 2 to change, 0 to delete.

Important

The current configuration needs to be updated to reflect the live settings otherwise they would be overwritten when this PR gets merged.

cc @eclipse-score/eclipsefdn-security

cc @eclipse-score/eclipsefdn-releng

AlexanderLanin · 2025-12-10T07:43:31Z

@mbarbero I cannot approve the run on https://github.com/eclipse-score/dash-license-scan/deployments/pypi

Could you check if reviewers were set correctly by otterdog? I guess this observation would match the diff to live settings warning?!

Copilot AI review requested due to automatic review settings December 3, 2025 12:07

AlexanderLanin requested a review from a team as a code owner December 3, 2025 12:07