use rulesets in the rust repo

[marcoieni]

Is there a preferred moment when we want to merge this?

• record the git SHA of each branch before the switch

[github-actions]

Dry-run check results

[WARN  rust_team::sync] sync-team is running in dry mode, no changes will be applied.
[INFO  rust_team::sync] synchronizing crates-io
[INFO  rust_team::sync] synchronizing github
[INFO  rust_team::sync] 💻 Repo Diffs:
    📝 Editing repo 'rust-lang/rust':
      Permission Changes:
        Giving team 'rust-timer' write permission
      Rulesets:
          Creating 'main'
            Include Branches: ["refs/heads/main"]
            Bypass Actors: [RulesetBypassActor { actor_id: 278306, actor_type: Integration, bypass_mode: Always }]
            Required approvals: 1
            Restrict updates: true
          Creating 'main - force-push'
            Include Branches: ["refs/heads/main"]
            Require pull requests: false
          Creating 'stable'
            Include Branches: ["refs/heads/stable"]
            Bypass Actors: [RulesetBypassActor { actor_id: 278306, actor_type: Integration, bypass_mode: Always }, RulesetBypassActor { actor_id: 217112, actor_type: Integration, bypass_mode: Always }]
            Required approvals: 1
            Restrict updates: true
          Creating 'stable - force-push'
            Include Branches: ["refs/heads/stable"]
            Bypass Actors: [RulesetBypassActor { actor_id: 217112, actor_type: Integration, bypass_mode: Always }]
            Require pull requests: false
          Creating 'stable - misc'
            Include Branches: ["refs/heads/stable"]
            Forbid force pushes: false
            Require pull requests: false
          Creating 'beta'
            Include Branches: ["refs/heads/beta"]
            Bypass Actors: [RulesetBypassActor { actor_id: 278306, actor_type: Integration, bypass_mode: Always }, RulesetBypassActor { actor_id: 217112, actor_type: Integration, bypass_mode: Always }]
            Required approvals: 1
            Restrict updates: true
          Creating 'beta - force-push'
            Include Branches: ["refs/heads/beta"]
            Bypass Actors: [RulesetBypassActor { actor_id: 217112, actor_type: Integration, bypass_mode: Always }]
            Require pull requests: false
          Creating 'beta - misc'
            Include Branches: ["refs/heads/beta"]
            Forbid force pushes: false
            Require pull requests: false
          Creating '*'
            Include Branches: ["refs/heads/*"]
            Bypass Actors: [RulesetBypassActor { actor_id: 217112, actor_type: Integration, bypass_mode: Always }]
            Required approvals: 1
            Restrict updates: true
          Creating '*/**/*'
            Include Branches: ["refs/heads/*/**/*"]
            Require pull requests: false
            Restrict updates: true
          Creating 'cargo_update'
            Include Branches: ["refs/heads/cargo_update"]
            Forbid force pushes: false
            Require pull requests: false
            Restrict deletions: false
          Creating 'automation/bors/try'
            Include Branches: ["refs/heads/automation/bors/try"]
            Bypass Actors: [RulesetBypassActor { actor_id: 278306, actor_type: Integration, bypass_mode: Always }]
            Required approvals: 1
            Restrict updates: true
          Creating 'automation/bors/try-merge'
            Include Branches: ["refs/heads/automation/bors/try-merge"]
            Bypass Actors: [RulesetBypassActor { actor_id: 278306, actor_type: Integration, bypass_mode: Always }]
            Required approvals: 1
            Restrict updates: true
          Creating 'automation/bors/auto'
            Include Branches: ["refs/heads/automation/bors/auto"]
            Bypass Actors: [RulesetBypassActor { actor_id: 278306, actor_type: Integration, bypass_mode: Always }]
            Required approvals: 1
            Restrict updates: true
          Creating 'automation/bors/auto-merge'
            Include Branches: ["refs/heads/automation/bors/auto-merge"]
            Bypass Actors: [RulesetBypassActor { actor_id: 278306, actor_type: Integration, bypass_mode: Always }]
            Required approvals: 1
            Restrict updates: true
          Creating 'try-perf'
            Include Branches: ["refs/heads/try-perf"]
            Bypass Actors: [RulesetBypassActor { actor_id: 16787004, actor_type: Team, bypass_mode: Always }]
            Required approvals: 1
            Restrict updates: true
          Creating 'perf-tmp'
            Include Branches: ["refs/heads/perf-tmp"]
            Bypass Actors: [RulesetBypassActor { actor_id: 16787004, actor_type: Team, bypass_mode: Always }]
            Required approvals: 1
            Restrict updates: true

[marcoieni]

Backup (taken automatically with https://github.com/marcoieni/multicheese in case you are curious!)

[marcoieni]

From https://docs.github.com/en/enterprise-cloud@latest/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets#about-rulesets-and-protected-branches:

Unlike protection rules, multiple rulesets can apply at the same time, so you can be confident that every rule targeting a branch in your repository will be evaluated when someone interacts with that branch

I removed this because we need multiple rules to interact with the same branch (different bypass list for normal push and force push).

[Kobzol]

In that case we should make the name required when there are multiple identical patterns, because we used the pattern as an identifier.

[marcoieni]

Here's how I tested the "stable" and "stable - force-pushes" rules.

• I created a repository in my test organization: https://github.com/marco-test-org/ruleset-test
• I created two rules

The user in the test-team was able to push to the repository but not to force-push. See marco-test-org/ruleset-test#1

[marcoieni]

There's one issue:
In the try-perf branch, the user rust-timer is allowed to push.
In rulesets, only teams and github apps can be allowed to push.
Should we create a team for rust-timer?
Another approach would be converting rust-timer to a github app but I'm not sure how difficult it is.

[Kobzol]

We are relatively close to making the unrolled PRs by bors, instead of rustc-perf. If this can wait a few weeks, rust-timer will no longer need that access.

[marcoieni]

We are relatively close to making the unrolled PRs by bors, instead of rustc-perf. If this can wait a few weeks, rust-timer will no longer need that access.

#2343 is a small change that can be reverted easily. Since this is the only blocker to have rulesets in the rust I'm in favor of creating the team. What do you think? 🤔

[Kobzol]

Sure, go ahead, it's a small change 👍

[marcoieni]

this function is only two lines but I left it like this to minimize the git diff of the PR.
We could inline the construct_ruleset free function later

[marcoieni]

this piece of code was moved up

[ubiratansoares]

I've checked all screenshots and compared side-by-side with the new config. Looks Ok to me. Perhaps @Kobzol wants to confirm whether we are good to go from his side as well.

I think it'd be nice spreading the word about this PR on T-infra/annoucements.

[Kobzol]

I realized that to mirror the previous behavior of branch protections, having a non-empty list of allowed-merge-apps should probably imply prevent-update = true. But that's non-blocking, we can do that later.

[Kobzol]

Suggested change

	# This allows bors to push without opening a PR.
	# This allows promote-release to push without opening a PR.

[marcoieni]

no, I meant bors!
The stable - force-push branch protection is there to restrict the behavior of bors.
promote-release doesn't have any restrictions because it is in all the allowed lists, so it could even delete the branch.

[marcoieni]

As noted by Kobzol:

we shouldn't turn off requiring PRs when bors is enabled, because that will turn off required PRs for everyone

[Kobzol]

Suggested change

pr-required = false

Shouldn't be needed, as rust-timer bypasses this ruleset anyway (same below).

[marcoieni]

removed!

[Kobzol]

We have to check whether this still protects tags (like 1.94.1).

[marcoieni]

it doesn't. Let's do a followup PR

[marcoieni]

the classic branch protection allows deletion, while this doesn't.
Jakub here says he prefers to prevent deletion for this and "*/**/*"

[Kobzol]

Hmm, I didn't realize deletion was allowed before. I don't think it's super important, but I guess we can try to be more strict and see if preventing deletion breaks anything.

[rustbot]

This PR was rebased onto a different main commit. Here's a range-diff highlighting what actually changed.

Rebasing is a normal part of keeping PRs up to date, so no action is needed—this note is just to help reviewers.