From bcb9e1c11c56e60ed35ca88d518e7ace8d1eb2b8 Mon Sep 17 00:00:00 2001
From: "Piotr P. Karwasz" <pkarwasz-github@apache.org>
Date: Tue, 14 Apr 2026 22:34:20 +0200
Subject: [PATCH 1/5] Switches from `protected_branches` to `rulesets`

Similarly to apache/logging-parent#456 this PR switches from GitHub Branch Protection to Rulesets and:

- Keeps the same rules for `main`, while protection `2.x` is **temporarily** disabled in case we need to update the `.asf.yaml` file.
- Adds tag protection for the `rel/*` tags.
---
 .asf.yaml | 54 +++++++++++++++++++++++++++++-------------------------
 1 file changed, 29 insertions(+), 25 deletions(-)

diff --git a/.asf.yaml b/.asf.yaml
index 1a37fb49233..2b1beead630 100644
--- a/.asf.yaml
+++ b/.asf.yaml
@@ -18,6 +18,13 @@
 # `.asf.yaml` is a branch-specific YAML configuration file for Git repositories to control features such as notifications, GitHub settings, etc.
 # See its documentation for details: https://github.com/apache/infrastructure-asfyaml
 
+#
+# Additional non-standard features
+#
+meta:
+  environments:
+    - github_rulesets
+
 # Bare minimum `notifications` to
 #
 # 1. Forward GitHub _activity_ to `notifications@`
@@ -72,35 +79,32 @@ github:
     merge:   false
     rebase:  false
 
-  # Enforce Review-then-Commit
-  protected_branches:
-    2.x:
-      # All reviews must be addressed before merging
-      required_conversation_resolution: true
-      # Require checks to pass before merging
-      required_status_checks:
-        checks:
-          # The GitHub Actions app: 15368
-          - app_id: 15368
-            context: "build / build (ubuntu-latest)"
-          # The GitHub Advanced Security app: 57789
-          - app_id: 57789
-            context: "CodeQL"
-      # At least one positive review must be present
-      required_pull_request_reviews:
-        required_approving_review_count: 1
-    main:
+  # Clear Protected Branches configuration: it is replaced by GitHub Rulesets
+  protected_branches: { }
+
+  rulesets:
+    # Enforce Review-then-Commit
+    - name: "Branch protection"
+      type: branch
+      branches:
+        includes:
+          - "main"
       # All reviews must be addressed before merging
       required_conversation_resolution: true
       # Require checks to pass before merging
       required_status_checks:
-        checks:
-          # The GitHub Actions app: 15368
-          - app_id: 15368
-            context: "build / build (ubuntu-latest)"
-          # The GitHub Advanced Security app: 57789
-          - app_id: 57789
-            context: "CodeQL"
+        # The GitHub Actions app
+        - app_slug: github-actions
+          name: "build / build (ubuntu-latest)"
+        # The GitHub Advanced Security
+        - app_slug: github-advanced-security
+          name: "CodeQL"
       # At least one positive review must be present
       required_pull_request_reviews:
         required_approving_review_count: 1
+    # Protect tags
+    - name: "Tag protection"
+      type: tag
+      branches:
+        includes:
+          - "rel/*"

From cccea50e2b41a40a787491b7a548c2e8f6504ca2 Mon Sep 17 00:00:00 2001
From: "Piotr P. Karwasz" <pkarwasz-github@apache.org>
Date: Thu, 16 Apr 2026 09:00:29 +0200
Subject: [PATCH 2/5] Workaround `.asf.yaml` limitations

---
 .asf.yaml | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/.asf.yaml b/.asf.yaml
index 2b1beead630..7d2d7557d3d 100644
--- a/.asf.yaml
+++ b/.asf.yaml
@@ -88,16 +88,19 @@ github:
       type: branch
       branches:
         includes:
-          - "main"
+          - "refs/heads/2.x"
+          - "refs/heads/main"
       # All reviews must be addressed before merging
       required_conversation_resolution: true
       # Require checks to pass before merging
       required_status_checks:
         # The GitHub Actions app
-        - app_slug: github-actions
+        # https://api.github.com/apps/github-actions
+        - app_slug: 15368
           name: "build / build (ubuntu-latest)"
         # The GitHub Advanced Security
-        - app_slug: github-advanced-security
+        # https://api.github.com/apps/github-advanced-security
+        - app_slug: 57789
           name: "CodeQL"
       # At least one positive review must be present
       required_pull_request_reviews:
@@ -107,4 +110,4 @@ github:
       type: tag
       branches:
         includes:
-          - "rel/*"
+          - "refs/tags/rel/*"

From 8e77f25e1c86848bff31b8fd746edfe00cf285c2 Mon Sep 17 00:00:00 2001
From: "Piotr P. Karwasz" <pkarwasz-github@apache.org>
Date: Thu, 28 May 2026 11:13:52 +0200
Subject: [PATCH 3/5] fix: protect tags

---
 .asf.yaml | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

diff --git a/.asf.yaml b/.asf.yaml
index 7d2d7557d3d..506eb95e339 100644
--- a/.asf.yaml
+++ b/.asf.yaml
@@ -105,9 +105,21 @@ github:
       # At least one positive review must be present
       required_pull_request_reviews:
         required_approving_review_count: 1
-    # Protect tags
+    # Use raw rules, until a convenience notation for `restrict_update` is introduced.
+    # See: https://github.com/apache/infrastructure-asfyaml/issues/96
+    #
+    # The raw rules need to follow the syntax given in:
+    # https://docs.github.com/en/rest/repos/rules?apiVersion=2026-03-10#update-a-repository-ruleset
     - name: "Tag protection"
-      type: tag
-      branches:
-        includes:
-          - "refs/tags/rel/*"
+      target: tag
+      enforcement: active
+      bypass_actors: []
+      conditions:
+        ref_name:
+          include:
+            - "refs/tags/rel/*"
+          exclude: []
+      rules:
+        - type: deletion
+        - type: non_fast_forward
+        - type: update

From 02a794f36dec6642d0ff83f8ce63408979ca5778 Mon Sep 17 00:00:00 2001
From: "Piotr P. Karwasz" <pkarwasz-github@apache.org>
Date: Thu, 28 May 2026 11:16:37 +0200
Subject: [PATCH 4/5] fix: special environment no longer needed

---
 .asf.yaml | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/.asf.yaml b/.asf.yaml
index 506eb95e339..e3470d36945 100644
--- a/.asf.yaml
+++ b/.asf.yaml
@@ -18,13 +18,6 @@
 # `.asf.yaml` is a branch-specific YAML configuration file for Git repositories to control features such as notifications, GitHub settings, etc.
 # See its documentation for details: https://github.com/apache/infrastructure-asfyaml
 
-#
-# Additional non-standard features
-#
-meta:
-  environments:
-    - github_rulesets
-
 # Bare minimum `notifications` to
 #
 # 1. Forward GitHub _activity_ to `notifications@`

From a8fb9d2e5c6dce0fa90c71e65a249839c552ae16 Mon Sep 17 00:00:00 2001
From: "Piotr P. Karwasz" <pkarwasz-github@apache.org>
Date: Thu, 28 May 2026 11:17:48 +0200
Subject: [PATCH 5/5] fix: remove no longer needed workarounds

---
 .asf.yaml | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/.asf.yaml b/.asf.yaml
index e3470d36945..12b6e050e1f 100644
--- a/.asf.yaml
+++ b/.asf.yaml
@@ -81,19 +81,17 @@ github:
       type: branch
       branches:
         includes:
-          - "refs/heads/2.x"
-          - "refs/heads/main"
+          - "2.x"
+          - "main"
       # All reviews must be addressed before merging
       required_conversation_resolution: true
       # Require checks to pass before merging
       required_status_checks:
         # The GitHub Actions app
-        # https://api.github.com/apps/github-actions
-        - app_slug: 15368
+        - app_slug: github-actions
           name: "build / build (ubuntu-latest)"
         # The GitHub Advanced Security
-        # https://api.github.com/apps/github-advanced-security
-        - app_slug: 57789
+        - app_slug: github-advanced-security
           name: "CodeQL"
       # At least one positive review must be present
       required_pull_request_reviews: