72 lines
2.6 KiB
Markdown
72 lines
2.6 KiB
Markdown
# 分支保护规则配置
|
||
|
||
以下规则需要在 GitHub 仓库设置界面手动配置,或通过 Terraform/Ansible 等基础设施即代码工具自动化。
|
||
|
||
## main 分支保护规则
|
||
|
||
路径:**Settings → Branches → Branch protection rules → Add rule**
|
||
|
||
### 必填项
|
||
|
||
| 配置项 | 值 | 说明 |
|
||
|--------|-----|------|
|
||
| Branch name pattern | `main` | 匹配 main 分支 |
|
||
| Protect matching branches | ✅ 启用 | 开启分支保护 |
|
||
| **Require pull request reviews** | ✅ 要求 | 合并前至少 1 人 review |
|
||
| **Require approvals** | `1` | 最少审批数量 |
|
||
| Dismiss stale approvals | ✅ 启用 | PR 更新后需重新审批 |
|
||
| Require review from Code Owners | ☐ 可选 | 建议开启 |
|
||
| **Require status checks to pass before merging** | ✅ 要求 | 必须通过 CI |
|
||
| Required status checks | `rust-check`, `rust-test`, `frontend-check` | CI job 名称 |
|
||
| **Require branches to be up to date before merging** | ☐ 可选 | 建议不启用,避免复杂 |
|
||
| Do not allow bypassing the above settings | ✅ 启用 | 即使 admin 不能绕过 |
|
||
|
||
### 安全设置
|
||
|
||
| 配置项 | 值 |
|
||
|--------|-----|
|
||
| Lock branch | ☐ 可选(不勾选,CI 仍可推送) |
|
||
| Allow force pushes | ☐ 禁用(禁止 force push) |
|
||
| Allow deletions | ☐ 禁用(禁止删除分支) |
|
||
|
||
## develop 分支保护规则
|
||
|
||
路径:**Settings → Branches → Branch protection rules → Add rule**
|
||
|
||
| 配置项 | 值 |
|
||
|--------|-----|
|
||
| Branch name pattern | `develop` |
|
||
| Protect matching branches | ✅ 启用 |
|
||
| Require pull request reviews | ✅ 要求 |
|
||
| Require approvals | `1` |
|
||
| Dismiss stale approvals | ✅ 启用 |
|
||
| Require status checks to pass before merging | ✅ 要求 |
|
||
| Required status checks | `rust-check`, `rust-test`, `frontend-check` |
|
||
| Do not allow bypassing | ✅ 启用 |
|
||
| Allow force pushes | ☐ 禁用 |
|
||
|
||
## 自动清理已合并分支
|
||
|
||
建议安装 GitHub App [Branch Clean Up](https://github.com/apps/branch-cleanup) 或在 PR 合并后自动删除源分支:
|
||
|
||
- **Settings → General → Automatically delete head branches** → ✅ 启用
|
||
|
||
## 使用 GitHub CLI 配置(自动化)
|
||
|
||
如果需要通过代码自动化配置,可以使用 `gh` CLI:
|
||
|
||
```bash
|
||
# 安装 gh
|
||
brew install gh
|
||
|
||
# 登录
|
||
gh auth login
|
||
|
||
# 创建 branch protection rule for main
|
||
gh api repos/{owner}/{repo}/branches/main/protection -X PUT \
|
||
-f required_status_checks='{"strict":true,"contexts":["rust-check","rust-test","frontend-check"]}' \
|
||
-f enforce_admins=true \
|
||
-f required_pull_request_reviews='{"required_approving_review_count":1,"dismiss_stale_reviews":true}' \
|
||
-f allow_force_pushes=false
|
||
```
|