Configure squash merge and security hardening by xnoto · Pull Request #2 · makeitworkcloud/tfroot-github

xnoto · 2026-03-03T07:06:17Z

Configures squash merge as default, disables force pushes for security, and enables branch cleanup.

github-actions · 2026-03-03T07:07:46Z

OpenTofu Plan

OpenTofu will perform the following actions:

  # github_branch_protection.protections[".github"] will be updated in-place
  ~ resource "github_branch_protection" "protections" {
      ~ allows_force_pushes             = true -> false
        id                              = "BPR_kwDOPDNmL84EC8t_"
        # (9 unchanged attributes hidden)

      ~ required_pull_request_reviews {
          ~ dismissal_restrictions          = [
              + "/admins",
            ]
          ~ pull_request_bypassers          = [
              + "/admins",
            ]
            # (5 unchanged attributes hidden)
        }

      ~ restrict_pushes {
          ~ push_allowances  = [
              + "/admins",
            ]
            # (1 unchanged attribute hidden)
        }

        # (1 unchanged block hidden)
    }

  # github_branch_protection.protections["ansible-project-libvirt"] will be updated in-place
  ~ resource "github_branch_protection" "protections" {
      ~ allows_force_pushes             = true -> false
        id                              = "BPR_kwDOQsXoHM4EPi_b"
        # (9 unchanged attributes hidden)

      ~ required_pull_request_reviews {
          ~ dismissal_restrictions          = [
              + "/admins",
            ]
          ~ pull_request_bypassers          = [
              + "/admins",
            ]
            # (5 unchanged attributes hidden)
        }

      ~ restrict_pushes {
          ~ push_allowances  = [
              + "/admins",
            ]
            # (1 unchanged attribute hidden)
        }

        # (1 unchanged block hidden)
    }

  # github_branch_protection.protections["ansible-role-crc"] will be updated in-place
  ~ resource "github_branch_protection" "protections" {
      ~ allows_force_pushes             = true -> false
        id                              = "BPR_kwDOP2QhNc4EPi_c"
        # (9 unchanged attributes hidden)

      ~ required_pull_request_reviews {
          ~ dismissal_restrictions          = [
              + "/admins",
            ]
          ~ pull_request_bypassers          = [
              + "/admins",
            ]
            # (5 unchanged attributes hidden)
        }

      ~ restrict_pushes {
          ~ push_allowances  = [
              + "/admins",
            ]
            # (1 unchanged attribute hidden)
        }

        # (1 unchanged block hidden)
    }

  # github_branch_protection.protections["ansible-site-cluster"] will be updated in-place
  ~ resource "github_branch_protection" "protections" {
      ~ allows_force_pushes             = true -> false
        id                              = "BPR_kwDOP2RlWs4EPi_d"
        # (9 unchanged attributes hidden)

      ~ required_pull_request_reviews {
          ~ dismissal_restrictions          = [
              + "/admins",
            ]
          ~ pull_request_bypassers          = [
              + "/admins",
            ]
            # (5 unchanged attributes hidden)
        }

      ~ restrict_pushes {
          ~ push_allowances  = [
              + "/admins",
            ]
            # (1 unchanged attribute hidden)
        }

        # (1 unchanged block hidden)
    }

  # github_branch_protection.protections["cflan"] will be updated in-place
  ~ resource "github_branch_protection" "protections" {
      ~ allows_force_pushes             = true -> false
        id                              = "BPR_kwDOOulWjM4EPi_e"
        # (9 unchanged attributes hidden)

      ~ required_pull_request_reviews {
          ~ dismissal_restrictions          = [
              + "/admins",
            ]
          ~ pull_request_bypassers          = [
              + "/admins",
            ]
            # (5 unchanged attributes hidden)
        }

      ~ restrict_pushes {
          ~ push_allowances  = [
              + "/admins",
            ]
            # (1 unchanged attribute hidden)
        }

        # (1 unchanged block hidden)
    }

  # github_branch_protection.protections["images"] will be updated in-place
  ~ resource "github_branch_protection" "protections" {
      ~ allows_force_pushes             = true -> false
        id                              = "BPR_kwDOQsexys4EPi_f"
        # (9 unchanged attributes hidden)

      ~ required_pull_request_reviews {
          ~ dismissal_restrictions          = [
              + "/admins",
            ]
          ~ pull_request_bypassers          = [
              + "/admins",
            ]
            # (5 unchanged attributes hidden)
        }

      ~ restrict_pushes {
          ~ push_allowances  = [
              + "/admins",
            ]
            # (1 unchanged attribute hidden)
        }

        # (1 unchanged block hidden)
    }

  # github_branch_protection.protections["kustomize-cluster"] will be updated in-place
  ~ resource "github_branch_protection" "protections" {
      ~ allows_force_pushes             = true -> false
        id                              = "BPR_kwDOQsxTyc4EPi_g"
        # (9 unchanged attributes hidden)

      ~ required_pull_request_reviews {
          ~ dismissal_restrictions          = [
              + "/admins",
            ]
          ~ pull_request_bypassers          = [
              + "/admins",
            ]
            # (5 unchanged attributes hidden)
        }

      ~ restrict_pushes {
          ~ push_allowances  = [
              + "/admins",
            ]
            # (1 unchanged attribute hidden)
        }

        # (1 unchanged block hidden)
    }

  # github_branch_protection.protections["shared-workflows"] will be updated in-place
  ~ resource "github_branch_protection" "protections" {
      ~ allows_force_pushes             = true -> false
        id                              = "BPR_kwDOQsfaHs4EPi_h"
        # (9 unchanged attributes hidden)

      ~ required_pull_request_reviews {
          ~ dismissal_restrictions          = [
              + "/admins",
            ]
          ~ pull_request_bypassers          = [
              + "/admins",
            ]
            # (5 unchanged attributes hidden)
        }

      ~ restrict_pushes {
          ~ push_allowances  = [
              + "/admins",
            ]
            # (1 unchanged attribute hidden)
        }

        # (1 unchanged block hidden)
    }

  # github_branch_protection.protections["terraform-libvirt-domain"] will be updated in-place
  ~ resource "github_branch_protection" "protections" {
      ~ allows_force_pushes             = true -> false
        id                              = "BPR_kwDOQsXn984EPi_i"
        # (9 unchanged attributes hidden)

      ~ required_pull_request_reviews {
          ~ dismissal_restrictions          = [
              + "/admins",
            ]
          ~ pull_request_bypassers          = [
              + "/admins",
            ]
            # (5 unchanged attributes hidden)
        }

      ~ restrict_pushes {
          ~ push_allowances  = [
              + "/admins",
            ]
            # (1 unchanged attribute hidden)
        }

        # (1 unchanged block hidden)
    }

  # github_branch_protection.protections["tfroot-aws"] will be updated in-place
  ~ resource "github_branch_protection" "protections" {
      ~ allows_force_pushes             = true -> false
        id                              = "BPR_kwDOQsXn6c4EPi_j"
        # (9 unchanged attributes hidden)

      ~ required_pull_request_reviews {
          ~ dismissal_restrictions          = [
              + "/admins",
            ]
          ~ pull_request_bypassers          = [
              + "/admins",
            ]
            # (5 unchanged attributes hidden)
        }

      ~ restrict_pushes {
          ~ push_allowances  = [
              + "/admins",
            ]
            # (1 unchanged attribute hidden)
        }

        # (1 unchanged block hidden)
    }

  # github_branch_protection.protections["tfroot-cloudflare"] will be updated in-place
  ~ resource "github_branch_protection" "protections" {
      ~ allows_force_pushes             = true -> false
        id                              = "BPR_kwDOQsXoEM4EPi_k"
        # (9 unchanged attributes hidden)

      ~ required_pull_request_reviews {
          ~ dismissal_restrictions          = [
              + "/admins",
            ]
          ~ pull_request_bypassers          = [
              + "/admins",
            ]
            # (5 unchanged attributes hidden)
        }

      ~ restrict_pushes {
          ~ push_allowances  = [
              + "/admins",
            ]
            # (1 unchanged attribute hidden)
        }

        # (1 unchanged block hidden)
    }

  # github_branch_protection.protections["tfroot-github"] will be updated in-place
  ~ resource "github_branch_protection" "protections" {
      ~ allows_force_pushes             = true -> false
        id                              = "BPR_kwDOQsXoMs4EPi_l"
        # (9 unchanged attributes hidden)

      ~ required_pull_request_reviews {
          ~ dismissal_restrictions          = [
              + "/admins",
            ]
          ~ pull_request_bypassers          = [
              + "/admins",
            ]
            # (5 unchanged attributes hidden)
        }

      ~ restrict_pushes {
          ~ push_allowances  = [
              + "/admins",
            ]
            # (1 unchanged attribute hidden)
        }

        # (1 unchanged block hidden)
    }

  # github_branch_protection.protections["tfroot-libvirt"] will be updated in-place
  ~ resource "github_branch_protection" "protections" {
      ~ allows_force_pushes             = true -> false
        id                              = "BPR_kwDOQsXoKM4EPi_n"
        # (9 unchanged attributes hidden)

      ~ required_pull_request_reviews {
          ~ dismissal_restrictions          = [
              + "/admins",
            ]
          ~ pull_request_bypassers          = [
              + "/admins",
            ]
            # (5 unchanged attributes hidden)
        }

      ~ restrict_pushes {
          ~ push_allowances  = [
              + "/admins",
            ]
            # (1 unchanged attribute hidden)
        }

        # (1 unchanged block hidden)
    }

  # github_branch_protection.protections["www"] will be updated in-place
  ~ resource "github_branch_protection" "protections" {
      ~ allows_force_pushes             = true -> false
        id                              = "BPR_kwDOOuKZAc4EPi_o"
        # (9 unchanged attributes hidden)

      ~ required_pull_request_reviews {
          ~ dismissal_restrictions          = [
              + "/admins",
            ]
          ~ pull_request_bypassers          = [
              + "/admins",
            ]
            # (5 unchanged attributes hidden)
        }

      ~ restrict_pushes {
          ~ push_allowances  = [
              + "/admins",
            ]
            # (1 unchanged attribute hidden)
        }

        # (1 unchanged block hidden)
    }

  # github_repository.repositories[".github"] will be updated in-place
  ~ resource "github_repository" "repositories" {
      ~ allow_rebase_merge                      = true -> false
      ~ delete_branch_on_merge                  = false -> true
        id                                      = ".github"
      + ignore_vulnerability_alerts_during_read = false
        name                                    = ".github"
      ~ squash_merge_commit_message             = "COMMIT_MESSAGES" -> "PR_BODY"
      ~ squash_merge_commit_title               = "COMMIT_OR_PR_TITLE" -> "PR_TITLE"
        # (33 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # github_repository.repositories["ansible-project-libvirt"] will be updated in-place
  ~ resource "github_repository" "repositories" {
      ~ allow_rebase_merge                      = true -> false
      ~ delete_branch_on_merge                  = false -> true
        id                                      = "ansible-project-libvirt"
      + ignore_vulnerability_alerts_during_read = false
        name                                    = "ansible-project-libvirt"
      ~ squash_merge_commit_message             = "COMMIT_MESSAGES" -> "PR_BODY"
      ~ squash_merge_commit_title               = "COMMIT_OR_PR_TITLE" -> "PR_TITLE"
        # (32 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # github_repository.repositories["ansible-role-crc"] will be updated in-place
  ~ resource "github_repository" "repositories" {
      ~ allow_rebase_merge                      = true -> false
      ~ delete_branch_on_merge                  = false -> true
        id                                      = "ansible-role-crc"
      + ignore_vulnerability_alerts_during_read = false
        name                                    = "ansible-role-crc"
      ~ squash_merge_commit_message             = "COMMIT_MESSAGES" -> "PR_BODY"
      ~ squash_merge_commit_title               = "COMMIT_OR_PR_TITLE" -> "PR_TITLE"
        # (33 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # github_repository.repositories["ansible-site-cluster"] will be updated in-place
  ~ resource "github_repository" "repositories" {
      ~ allow_rebase_merge                      = true -> false
      ~ delete_branch_on_merge                  = false -> true
        id                                      = "ansible-site-cluster"
      + ignore_vulnerability_alerts_during_read = false
        name                                    = "ansible-site-cluster"
      ~ squash_merge_commit_message             = "COMMIT_MESSAGES" -> "PR_BODY"
      ~ squash_merge_commit_title               = "COMMIT_OR_PR_TITLE" -> "PR_TITLE"
        # (32 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # github_repository.repositories["cflan"] will be updated in-place
  ~ resource "github_repository" "repositories" {
      ~ allow_rebase_merge                      = true -> false
      ~ delete_branch_on_merge                  = false -> true
        id                                      = "cflan"
      + ignore_vulnerability_alerts_during_read = false
        name                                    = "cflan"
      ~ squash_merge_commit_message             = "COMMIT_MESSAGES" -> "PR_BODY"
      ~ squash_merge_commit_title               = "COMMIT_OR_PR_TITLE" -> "PR_TITLE"
        # (34 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # github_repository.repositories["images"] will be updated in-place
  ~ resource "github_repository" "repositories" {
      ~ allow_rebase_merge                      = true -> false
      ~ delete_branch_on_merge                  = false -> true
        id                                      = "images"
      + ignore_vulnerability_alerts_during_read = false
        name                                    = "images"
      ~ squash_merge_commit_message             = "COMMIT_MESSAGES" -> "PR_BODY"
      ~ squash_merge_commit_title               = "COMMIT_OR_PR_TITLE" -> "PR_TITLE"
        # (32 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # github_repository.repositories["kustomize-cluster"] will be updated in-place
  ~ resource "github_repository" "repositories" {
      ~ allow_rebase_merge                      = true -> false
      ~ delete_branch_on_merge                  = false -> true
        id                                      = "kustomize-cluster"
      + ignore_vulnerability_alerts_during_read = false
        name                                    = "kustomize-cluster"
      ~ squash_merge_commit_message             = "COMMIT_MESSAGES" -> "PR_BODY"
      ~ squash_merge_commit_title               = "COMMIT_OR_PR_TITLE" -> "PR_TITLE"
        # (30 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # github_repository.repositories["shared-workflows"] will be updated in-place
  ~ resource "github_repository" "repositories" {
      ~ allow_rebase_merge                      = true -> false
      ~ delete_branch_on_merge                  = false -> true
        id                                      = "shared-workflows"
      + ignore_vulnerability_alerts_during_read = false
        name                                    = "shared-workflows"
      ~ squash_merge_commit_message             = "COMMIT_MESSAGES" -> "PR_BODY"
      ~ squash_merge_commit_title               = "COMMIT_OR_PR_TITLE" -> "PR_TITLE"
        # (31 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # github_repository.repositories["terraform-libvirt-domain"] will be updated in-place
  ~ resource "github_repository" "repositories" {
      ~ allow_rebase_merge                      = true -> false
      ~ delete_branch_on_merge                  = false -> true
        id                                      = "terraform-libvirt-domain"
      + ignore_vulnerability_alerts_during_read = false
        name                                    = "terraform-libvirt-domain"
      ~ squash_merge_commit_message             = "COMMIT_MESSAGES" -> "PR_BODY"
      ~ squash_merge_commit_title               = "COMMIT_OR_PR_TITLE" -> "PR_TITLE"
        # (32 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # github_repository.repositories["tfroot-aws"] will be updated in-place
  ~ resource "github_repository" "repositories" {
      ~ allow_rebase_merge                      = true -> false
      ~ delete_branch_on_merge                  = false -> true
        id                                      = "tfroot-aws"
      + ignore_vulnerability_alerts_during_read = false
        name                                    = "tfroot-aws"
      ~ squash_merge_commit_message             = "COMMIT_MESSAGES" -> "PR_BODY"
      ~ squash_merge_commit_title               = "COMMIT_OR_PR_TITLE" -> "PR_TITLE"
        # (32 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # github_repository.repositories["tfroot-cloudflare"] will be updated in-place
  ~ resource "github_repository" "repositories" {
      ~ allow_rebase_merge                      = true -> false
      ~ delete_branch_on_merge                  = false -> true
        id                                      = "tfroot-cloudflare"
      + ignore_vulnerability_alerts_during_read = false
        name                                    = "tfroot-cloudflare"
      ~ squash_merge_commit_message             = "COMMIT_MESSAGES" -> "PR_BODY"
      ~ squash_merge_commit_title               = "COMMIT_OR_PR_TITLE" -> "PR_TITLE"
        # (32 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # github_repository.repositories["tfroot-github"] will be updated in-place
  ~ resource "github_repository" "repositories" {
      ~ allow_rebase_merge                      = true -> false
      ~ delete_branch_on_merge                  = false -> true
        id                                      = "tfroot-github"
      + ignore_vulnerability_alerts_during_read = false
        name                                    = "tfroot-github"
      ~ squash_merge_commit_message             = "COMMIT_MESSAGES" -> "PR_BODY"
      ~ squash_merge_commit_title               = "COMMIT_OR_PR_TITLE" -> "PR_TITLE"
        # (32 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # github_repository.repositories["tfroot-libvirt"] will be updated in-place
  ~ resource "github_repository" "repositories" {
      ~ allow_rebase_merge                      = true -> false
      ~ delete_branch_on_merge                  = false -> true
        id                                      = "tfroot-libvirt"
      + ignore_vulnerability_alerts_during_read = false
        name                                    = "tfroot-libvirt"
      ~ squash_merge_commit_message             = "COMMIT_MESSAGES" -> "PR_BODY"
      ~ squash_merge_commit_title               = "COMMIT_OR_PR_TITLE" -> "PR_TITLE"
        # (32 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # github_repository.repositories["www"] will be updated in-place
  ~ resource "github_repository" "repositories" {
      ~ allow_rebase_merge                      = true -> false
      ~ delete_branch_on_merge                  = false -> true
        id                                      = "www"
      + ignore_vulnerability_alerts_during_read = false
        name                                    = "www"
      ~ squash_merge_commit_message             = "COMMIT_MESSAGES" -> "PR_BODY"
      ~ squash_merge_commit_title               = "COMMIT_OR_PR_TITLE" -> "PR_TITLE"
        # (34 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Plan: 0 to add, 28 to change, 0 to destroy.

feat: configure squash merge and disable force pushes

3a62075

xnoto merged commit 8754dc2 into main Mar 3, 2026
3 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Configure squash merge and security hardening#2

Configure squash merge and security hardening#2
xnoto merged 1 commit intomainfrom
configure-squash-merge

xnoto commented Mar 3, 2026

Uh oh!

github-actions bot commented Mar 3, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

xnoto commented Mar 3, 2026

Uh oh!

github-actions bot commented Mar 3, 2026

OpenTofu Plan

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant