From 9217edced7386072844c88bbbc276d2ee1d2ca08 Mon Sep 17 00:00:00 2001
From: Philip Gichuhi <pgichuhi@microsoft.com>
Date: Mon, 13 Jan 2025 16:44:54 +0300
Subject: [PATCH] chore(security): adds branch protection policy

---
 .github/policies/branch-protection.yml  | 40 +++++++++++++++++++++++++
 .github/workflows/dotnet.yml            |  2 +-
 .github/workflows/idempotency-tests.yml | 13 ++++++++
 .github/workflows/integration-tests.yml | 13 ++++++++
 4 files changed, 67 insertions(+), 1 deletion(-)
 create mode 100644 .github/policies/branch-protection.yml

diff --git a/.github/policies/branch-protection.yml b/.github/policies/branch-protection.yml
new file mode 100644
index 0000000000..4db40f7d72
--- /dev/null
+++ b/.github/policies/branch-protection.yml
@@ -0,0 +1,40 @@
+name: kiota-branch-protection
+description: Branch protection policy for the kiota repository
+resource: repository
+configuration:
+  branchProtectionRules:
+    - branchNamePattern: main
+      # Specifies whether this branch can be deleted. boolean
+      allowsDeletions: false
+      # Specifies whether forced pushes are allowed on this branch. boolean
+      allowsForcePushes: false
+      # Specifies whether new commits pushed to the matching branches dismiss pull request review approvals. boolean
+      dismissStaleReviews: true
+      # Specifies whether admins can overwrite branch protection. boolean
+      isAdminEnforced: false
+      # Indicates whether "Require a pull request before merging" is enabled. boolean
+      requiresPullRequestBeforeMerging: true
+      # Specifies the number of pull request reviews before merging. int (0-6). Should be null/empty if PRs are not required
+      requiredApprovingReviewsCount: 2
+      # Require review from Code Owners. Requires requiredApprovingReviewsCount. boolean
+      requireCodeOwnersReview: true
+      # Are commits required to be signed. boolean.
+      requiresCommitSignatures: true
+      # Are conversations required to be resolved before merging? boolean
+      requiresConversationResolution: true
+      # Are merge commits prohibited from being pushed to this branch. boolean
+      requiresLinearHistory: false
+      # Required status checks to pass before merging. Values can be any string, but if the value does not correspond to any existing status check, the status check will be stuck on pending for status since nothing exists to push an actual status
+      requiredStatusChecks:
+        - license/cla
+        - Analyze (csharp)
+        - dotnet-build
+        - check-idempotency-tests
+        - check-integration-tests
+        - build_extension
+      # Require branches to be up to date before merging
+      requiresStrictStatusChecks: true
+      # Indicates whether there are restrictions on who can push. boolean. Should be set with whoCanPush.
+      restrictsPushes: false
+      # Restrict who can dismiss pull request reviews. boolean
+      restrictsReviewDismissals: false
diff --git a/.github/workflows/dotnet.yml b/.github/workflows/dotnet.yml
index c01756b9f6..e292ae8dda 100644
--- a/.github/workflows/dotnet.yml
+++ b/.github/workflows/dotnet.yml
@@ -27,7 +27,7 @@ on:
       ]
 
 jobs:
-  build:
+  dotnet-build:
     runs-on: ubuntu-latest
 
     steps:
diff --git a/.github/workflows/idempotency-tests.yml b/.github/workflows/idempotency-tests.yml
index 074325f488..030bb784a9 100644
--- a/.github/workflows/idempotency-tests.yml
+++ b/.github/workflows/idempotency-tests.yml
@@ -113,3 +113,16 @@ jobs:
         with:
           artifact_name: "generator"
           min_bytes: "0"
+
+  # Aggregates result of the idempotency tests for use in branch policy
+  check-idempotency-tests:
+    runs-on: ubuntu-latest
+    needs: idempotency
+    if: always()
+    steps:
+      - name: All build matrix options are successful
+        if: ${{ !(contains(needs.*.result, 'failure')) }}
+        run: exit 0
+      - name: One or more build matrix options failed
+        if: ${{ contains(needs.*.result, 'failure') }}
+        run: exit 1
diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml
index 7e0ef9ffff..d0002178fc 100644
--- a/.github/workflows/integration-tests.yml
+++ b/.github/workflows/integration-tests.yml
@@ -157,3 +157,16 @@ jobs:
         with:
           artifact_name: "generator"
           min_bytes: "0"
+
+  # Aggregates result of the integration tests for use in branch policy
+  check-integration-tests:
+    runs-on: ubuntu-latest
+    needs: integration
+    if: always()
+    steps:
+      - name: All build matrix options are successful
+        if: ${{ !(contains(needs.*.result, 'failure')) }}
+        run: exit 0
+      - name: One or more build matrix options failed
+        if: ${{ contains(needs.*.result, 'failure') }}
+        run: exit 1