From ec21bc59045f3a114b601d3153f5a46017b5098f Mon Sep 17 00:00:00 2001 From: Julia Kafarska Date: Mon, 1 Jun 2026 21:57:30 +0200 Subject: [PATCH] chore: track release-tags ruleset template Repo-level tag ruleset protecting v* tags from deletion/force-push while allowing creation (so npm run release works); admins bypass always. Already applied to the repo via the GitHub API. --- .github/rulesets/README.md | 1 + .github/rulesets/release-tags.json | 19 +++++++++++++++++++ 2 files changed, 20 insertions(+) create mode 100644 .github/rulesets/release-tags.json diff --git a/.github/rulesets/README.md b/.github/rulesets/README.md index ca17d35..7fbfa07 100644 --- a/.github/rulesets/README.md +++ b/.github/rulesets/README.md @@ -5,6 +5,7 @@ JSON templates for [GitHub Branch Rulesets](https://docs.github.com/en/repositor ## Files - **[`main-branch.json`](./main-branch.json)** — protect `main` against direct pushes, force-pushes, and deletion; require PR + CI to pass. +- **[`release-tags.json`](./release-tags.json)** — protect `v*` release tags from deletion and force-push. Deliberately does **not** restrict _creation_ (so `npm run release` can push new tags); admins get an "always" bypass to fix mistakes. ## Apply diff --git a/.github/rulesets/release-tags.json b/.github/rulesets/release-tags.json new file mode 100644 index 0000000..0c7aa3a --- /dev/null +++ b/.github/rulesets/release-tags.json @@ -0,0 +1,19 @@ +{ + "name": "Protect release tags", + "target": "tag", + "enforcement": "active", + "conditions": { + "ref_name": { + "include": ["refs/tags/v*"], + "exclude": [] + } + }, + "rules": [{ "type": "deletion" }, { "type": "non_fast_forward" }], + "bypass_actors": [ + { + "actor_id": 5, + "actor_type": "RepositoryRole", + "bypass_mode": "always" + } + ] +}