echokit

Branch Protection Rules

This document describes the recommended branch protection rules for the EchoKit repository.

How to Configure

  1. Go to Settings β†’ Branches β†’ Add rule
  2. Apply to branch: main
  3. Configure the following rules:

βœ… Required Checks

Protect Matching Branches

Status Checks

Note: Test/smoke is currently skipped in CI (see Issue #4), so it’s not a required check.


🚫 Restrictions


πŸ” Additional Protections

Force Push

Deletions


πŸ“‹ Complete Configuration Checklist

Copy-paste this into GitHub’s branch protection UI:

Branch name pattern: main

β˜‘οΈ Require a pull request before merging
  β˜‘οΈ Require approvals: 1
  β˜‘οΈ Dismiss stale pull request approvals when new commits are pushed
  ☐ Require review from Code Owners
  β˜‘οΈ Require approval of the most recent reviewable push
  ☐ Require conversation resolution before merging (recommended)

β˜‘οΈ Require status checks to pass before merging
  β˜‘οΈ Require branches to be up to date before merging
  Status checks that are required:
    - Test/validate
    - CodeRabbit

☐ Require signed commits (optional)

β˜‘οΈ Require linear history (optional - prevents merge commits)

β˜‘οΈ Do not allow bypassing the above settings (recommended)

β˜‘οΈ Restrict who can push to matching branches (optional)
  Add: github-actions[bot] (for auto-release)

Rules applied to administrators:
  β˜‘οΈ Include administrators (recommended)

πŸ€– Auto-Release Considerations

GitHub Actions Permissions

The auto-release.yml workflow needs permission to push tags to main. Configure:

  1. Settings β†’ Actions β†’ General
  2. Workflow permissions: Select β€œRead and write permissions”
  3. βœ… Allow GitHub Actions to create and approve pull requests (optional)

Required for Auto-Release

# In .github/workflows/auto-release.yml
permissions:
  contents: write  # Allows creating tags

πŸ”§ Alternative: Rulesets (New GitHub Feature)

If your repository uses GitHub’s new Rulesets feature:

Create Ruleset for main

  1. Settings β†’ Rules β†’ Rulesets β†’ New ruleset
  2. Name: Protect main branch
  3. Target branches: main
  4. Rules:
    • Require pull request: βœ“
    • Require status checks: βœ“ (Test/validate, CodeRabbit)
    • Block force pushes: βœ“
    • Require conversation resolution: βœ“

πŸ“ Enforcement Level

Current Recommendation: Start with Flexible, move to Strict as team grows.


βœ… Verification

After configuring, verify by:

  1. Creating a test PR
  2. Attempting to merge without approval β†’ Should be blocked βœ“
  3. Attempting to push directly to main β†’ Should be blocked βœ“
  4. Checking that auto-release workflow can push tags β†’ Should work βœ“

πŸ”„ Updates to This Document

Last updated: 2026-05-11
Update when: Branch protection requirements change


Note: These are recommendations based on EchoKit’s current workflow. Adjust based on your team’s needs.