Summary
The current Terraform setup in terraform/branch-protection/ uses the
github_branch_protection resource (classic, GraphQL-based). GitHub Merge
Queue is only configurable via github_repository_ruleset (REST-based) —
the classic resource does not support it
(see community discussion).
This is a prerequisite for #3177 (replacing Tide with GitHub Merge Queue).
Options
Option 1: Add rulesets alongside branch protection (minimal change)
Keep github_branch_protection for existing functionality, add
github_repository_ruleset resources only for the merge queue setting.
Rulesets and branch protection can coexist.
- Pro: Smaller diff, less risk
- Con: Two systems to maintain, potential for conflicting rules
Option 2: Migrate fully to github_repository_ruleset (cleaner)
Replace all github_branch_protection resources with
github_repository_ruleset. Rulesets are GitHub's newer, recommended
approach and support everything branch protection does plus more
(merge queue, org-level rulesets, etc.).
- Pro: Single system, future-proof, org-level rulesets possible
- Con: Larger migration, needs careful import/state management
Current Terraform Resources
From terraform/branch-protection/main.tf:
github_branch_protection.main — protects main branch across all
tektoncd repos (status checks, no force push, no deletion)github_branch_protection.releases — protects release-v* branches
(stricter: requires PR reviews, requires up-to-date branch)
Both use config/repo-checks.yaml as the source of truth for required
status checks.
Release Branches
The wildcard limitation ("merge queue cannot be enabled with branch protection
rules that use wildcard characters") only applies to classic branch protection
rules, NOT to rulesets. Rulesets support patterns natively via
conditions.ref_name.include (e.g., refs/heads/release-v*).
With rulesets we can have:
- A ruleset for
main — with merge queue, required status checks, etc.
- A ruleset for
release-v* — with required PR reviews, status checks,
no force push (merge queue not needed on release branches given low traffic)
This is actually cleaner than the current setup which has two separate
github_branch_protection resources.
Considerations
- State migration: if going with option 2, need to
terraform import the
new resources and remove the old ones carefully to avoid a window where
branches are unprotected
- The Terraform state is stored in a Kubernetes Secret on the OCI cluster
(backend "kubernetes")
- Provider version
~> 6.0 already supports github_repository_ruleset
- Org-level rulesets could simplify configuration significantly (one ruleset
for all repos instead of per-repo resources)
Related
/cc @tektoncd/plumbing-maintainers
Summary
The current Terraform setup in
terraform/branch-protection/uses thegithub_branch_protectionresource (classic, GraphQL-based). GitHub MergeQueue is only configurable via
github_repository_ruleset(REST-based) —the classic resource does not support it
(see community discussion).
This is a prerequisite for #3177 (replacing Tide with GitHub Merge Queue).
Options
Option 1: Add rulesets alongside branch protection (minimal change)
Keep
github_branch_protectionfor existing functionality, addgithub_repository_rulesetresources only for the merge queue setting.Rulesets and branch protection can coexist.
Option 2: Migrate fully to
github_repository_ruleset(cleaner)Replace all
github_branch_protectionresources withgithub_repository_ruleset. Rulesets are GitHub's newer, recommendedapproach and support everything branch protection does plus more
(merge queue, org-level rulesets, etc.).
Current Terraform Resources
From
terraform/branch-protection/main.tf:github_branch_protection.main— protectsmainbranch across alltektoncdrepos (status checks, no force push, no deletion)github_branch_protection.releases— protectsrelease-v*branches(stricter: requires PR reviews, requires up-to-date branch)
Both use
config/repo-checks.yamlas the source of truth for requiredstatus checks.
Release Branches
The wildcard limitation ("merge queue cannot be enabled with branch protection
rules that use wildcard characters") only applies to classic branch protection
rules, NOT to rulesets. Rulesets support patterns natively via
conditions.ref_name.include(e.g.,refs/heads/release-v*).With rulesets we can have:
main— with merge queue, required status checks, etc.release-v*— with required PR reviews, status checks,no force push (merge queue not needed on release branches given low traffic)
This is actually cleaner than the current setup which has two separate
github_branch_protectionresources.Considerations
terraform importthenew resources and remove the old ones carefully to avoid a window where
branches are unprotected
(
backend "kubernetes")~> 6.0already supportsgithub_repository_rulesetfor all repos instead of per-repo resources)
Related
/cc @tektoncd/plumbing-maintainers