[build] use rulesets to restrict and unrestrict trunk during release window#16941
[build] use rulesets to restrict and unrestrict trunk during release window#16941titusfortner merged 7 commits intotrunkfrom
Conversation
PR Compliance Guide 🔍Below is a summary of compliance checks for this PR:
Compliance status legend🟢 - Fully Compliant🟡 - Partial Compliant 🔴 - Not Compliant ⚪ - Requires Further Human Verification 🏷️ - Compliance label |
|||||||||||||||||||||||||
PR Code Suggestions ✨Explore these optional code suggestions:
|
||||||||||||||
There was a problem hiding this comment.
Pull request overview
This pull request implements automated GitHub ruleset management to restrict trunk branch access during the Selenium release process. The restrictions ensure that only release managers can merge changes and that all PRs are up-to-date with trunk during the critical release window.
Changes:
- Added a new reusable workflow to manage trunk branch rulesets that activates when release preparation PRs are marked ready and deactivates when they're closed without merging or when releases complete
- Integrated automatic trunk unrestriction into the release workflow to restore normal branch access after successful releases
- Added fork repository checks to skip workflows on forked repositories where secrets are unavailable
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| .github/workflows/restrict-trunk.yml | New workflow that manages two trunk branch rulesets via GitHub API, supporting both automatic triggering from PR events and manual control via workflow dispatch |
| .github/workflows/release.yml | Adds unrestrict-trunk job with if: always() condition to disable trunk restrictions after release completion, making it a dependency for the version update job |
| .github/workflows/pre-release.yml | Adds fork check to update-rust job to prevent execution on forked repositories |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
User description
🔗 Related Issues
Addition to #16937 to prevent commits accidentally being added to release
💥 What does this PR do?
We want to make sure the PR that kicks off the automated release process was tested against trunk
instead of getting squash merged on top of it. It's also nice to be able to enforce no
changes to trunk when actively working on the release.
I've created 2 rulesets as part of this:
The rulesets are automatically enabled when the release preparation PR comes out of Draft
and is marked "Ready for Review". They are automatically disabled when the release workflow
completes, or if the release preparation PR is closed without merging (abandoned release).
This can be manually toggled via the "Manage Trunk Restrictions" workflow with
productionenvironment approval (currently TLC members) or directly in repo settings:https://github.com/SeleniumHQ/selenium/settings/rules
🔧 Implementation Notes
A single consolidated
manage-trunkjob dynamically determines enforcement level:inputs.enforcementwhen manually triggered or called as reusable workflowactiveforready_for_reviewPR eventsdisabledfor closed (unmerged) PR eventsUnrestrict inUnrestrict only runs if release is successful and version updates need to happen. If it is not successful, release managers will need to manually fix and run the unrestrict job. I'm adding a slack notification if it fails and needs to be fixed.release.ymlruns withif: always()to ensure cleanup even on failure💡 Additional Considerations
11911909,11912022) are specific to this repo - update ifrulesets are recreated
🔄 Types of changes
PR Type
Enhancement
Description
Implement GitHub rulesets to restrict trunk during release window
Automatically enable restrictions when release PR marked ready
Automatically disable restrictions when release completes
Add manual workflow to toggle trunk restrictions via approval
Skip workflows on forked repositories
Diagram Walkthrough
File Walkthrough
restrict-trunk.yml
New workflow to manage trunk restrictions.github/workflows/restrict-trunk.yml
invocations
event type
pre-release.yml
Add fork check to pre-release workflow.github/workflows/pre-release.yml
release.yml
Add unrestrict-trunk job to release workflow.github/workflows/release.yml