Protect all tags from deletions and updates after creation

[mbarbero]

No description provided.

[eclipse-otterdog]

This is your friendly self-service bot.

Thank you for raising a pull request to update the configuration of your GitHub organization.
You can manually add reviewers to this PR to eventually enable auto-merging.

The following conditions need to fulfilled for auto-merging to be available:

• valid configuration
• approved by a project lead
• does not require any secrets
• does not update settings only accessible via the GitHub Web UI
• does not remove any resource

Otterdog commands and options

You can trigger otterdog actions by commenting on this PR:

• /otterdog team-info checks the team / org membership for the PR author
• /otterdog validate validates the configuration change
• /otterdog validate info validates the configuration change, printing also validation infos
• /otterdog check-sync checks if the base ref is in sync with live settings
• /otterdog merge merges and applies the changes if the PR is eligible for auto-merging (only accessible for the author)
• /otterdog done notifies the self-service bot that a required manual apply operation has been performed (only accessible for members of the admin team)
• /otterdog apply re-apply a previously failed attempt (only accessible for members of the admin team)

[eclipse-otterdog]

This is your friendly self-service bot.

The author (mbarbero) of this PR is associated with this organization in the role of MEMBER.

Additionally, mbarbero is a member of the following teams:

• eclipsefdn-security

[eclipse-otterdog]

This is your friendly self-service bot.
This Pull Request is eligible for auto-merging as it passed the following checks:

• valid configuration
• approved by a project lead
• does not require any secrets
• does not update settings only accessible via the GitHub Web UI
• does not remove any resource

In order to automatically merge and apply the changes, add a comment /otterdog merge. 🚀

[mbarbero]

@eclipse-californium/iot-californium-project-leads, this PR comes as a suggestion from a discussion with @boaks. Feel free to ask questions.

[boaks]

To be frank: I wrote in the "future", which is mainly caused by being busy with other tasks.

In the past we have only removed tags, if they were created in the scope of "test runs for the build system". Or if something during the release failed. With that, I would only freeze a tag after the release has successfully published in the eclipse repo and maven central. But also that, please postpone this.

[mbarbero]

please postpone this.

Of course, we understand that this may feel intrusive and not the best time to try new workflows.

I would just like to conclude by mentioning that these rules can be created in evaluate mode, which means they don't block anything; they simply report information when triggered. It’s a good first step to refine the workflow according to your needs. What do you think?

[eclipse-otterdog]

Please find below the validation of the requested configuration changes:

Diff for 5e8630f

Project iot.californium[github_id=eclipse-californium]
!                                                                                                             
! Warning:   repository[name="californium.tools"] has 'gh_pages_build_type' with value 'legacy', but no       
!            corresponding 'github-pages' environment, please add such an environment.                        
!                                                                                                             
  there have been 5 validation infos, enable verbose output to display them.

+  add repo_ruleset[name="tags-protection", repository=californium] {
+    allows_creations           = true
+    allows_deletions           = false
+    allows_force_pushes        = false
+    allows_updates             = false
+    bypass_actors              = []
+    enforcement                = "active"
+    exclude_refs               = []
+    include_refs               = [
+      "~ALL"
+    ],
+    name                       = "tags-protection"
+    requires_commit_signatures = false
+    requires_deployments       = false
+    requires_linear_history    = false
+    target                     = "tag"
+  }

+  add repo_ruleset[name="tags-protection", repository=californium.actinium] {
+    allows_creations           = true
+    allows_deletions           = false
+    allows_force_pushes        = false
+    allows_updates             = false
+    bypass_actors              = []
+    enforcement                = "active"
+    exclude_refs               = []
+    include_refs               = [
+      "~ALL"
+    ],
+    name                       = "tags-protection"
+    requires_commit_signatures = false
+    requires_deployments       = false
+    requires_linear_history    = false
+    target                     = "tag"
+  }

+  add repo_ruleset[name="tags-protection", repository=californium.tools] {
+    allows_creations           = true
+    allows_deletions           = false
+    allows_force_pushes        = false
+    allows_updates             = false
+    bypass_actors              = []
+    enforcement                = "active"
+    exclude_refs               = []
+    include_refs               = [
+      "~ALL"
+    ],
+    name                       = "tags-protection"
+    requires_commit_signatures = false
+    requires_deployments       = false
+    requires_linear_history    = false
+    target                     = "tag"
+  }
  
  Plan: 3 to add, 0 to change, 0 to delete.