From e70c03529d0823d8e3f04288ddecc2f91cbe0bf5 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 9 Feb 2026 08:29:56 +0000 Subject: [PATCH 1/4] Initial plan From 22e9f722265a34b9ea81c371100f18c63d09bba1 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 9 Feb 2026 08:32:31 +0000 Subject: [PATCH 2/4] Add branch protection configuration and documentation Co-authored-by: OneM1 <111998759+OneM1@users.noreply.github.com> --- .github/CODEOWNERS | 21 +++ .github/PULL_REQUEST_TEMPLATE.md | 49 +++++ .github/settings.yml | 61 +++++++ .github/workflows/branch-protection-check.yml | 50 +++++ BRANCH_PROTECTION.md | 172 ++++++++++++++++++ README.md | 8 + 6 files changed, 361 insertions(+) create mode 100644 .github/CODEOWNERS create mode 100644 .github/PULL_REQUEST_TEMPLATE.md create mode 100644 .github/settings.yml create mode 100644 .github/workflows/branch-protection-check.yml create mode 100644 BRANCH_PROTECTION.md diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..c047dd3 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,21 @@ +# CODEOWNERS file +# This file defines individuals or teams that are responsible for code in this repository. +# These individuals are automatically requested for review when someone opens a pull request. + +# Default owners for everything in the repo +* @OneM1 + +# Backend code +/app/ @OneM1 +/alembic/ @OneM1 + +# Frontend code +/frontend/ @OneM1 + +# Configuration files +*.yml @OneM1 +*.yaml @OneM1 +requirements.txt @OneM1 + +# Documentation +*.md @OneM1 diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 0000000..86b019f --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,49 @@ +## Description + + +## Type of Change + + +- [ ] Bug fix (non-breaking change which fixes an issue) +- [ ] New feature (non-breaking change which adds functionality) +- [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected) +- [ ] Documentation update +- [ ] Code refactoring +- [ ] Performance improvement +- [ ] Test addition or improvement + +## Changes Made + + +- +- +- + +## Testing + + +- [ ] I have tested this code locally +- [ ] All existing tests pass +- [ ] I have added new tests (if applicable) + +## Checklist + + +- [ ] My code follows the style guidelines of this project +- [ ] I have performed a self-review of my own code +- [ ] I have commented my code, particularly in hard-to-understand areas +- [ ] I have made corresponding changes to the documentation +- [ ] My changes generate no new warnings +- [ ] I have checked that this PR does not introduce security vulnerabilities +- [ ] Any dependent changes have been merged and published + +## Related Issues + + +Closes # + +## Screenshots (if applicable) + + +## Additional Notes + diff --git a/.github/settings.yml b/.github/settings.yml new file mode 100644 index 0000000..f0809c0 --- /dev/null +++ b/.github/settings.yml @@ -0,0 +1,61 @@ +# Repository settings for branch protection +# This file can be used with the Probot Settings app or GitHub's repository settings API +# See: https://github.com/probot/settings + +repository: + # Repository description + description: A full-stack blog application with FastAPI backend and Vue.js frontend + + # Repository homepage + homepage: https://github.com/OneM1/Fastapi + + # Repository topics + topics: fastapi, vuejs, blog, postgresql, jwt-authentication + + # Repository features + has_issues: true + has_projects: true + has_wiki: true + has_downloads: true + + # Default branch + default_branch: main + +# Branch protection rules +branches: + - name: main + # Protection settings + protection: + # Require pull request reviews before merging + required_pull_request_reviews: + # Require approving reviews + required_approving_review_count: 1 + # Dismiss stale pull request approvals when new commits are pushed + dismiss_stale_reviews: true + # Require review from Code Owners + require_code_owner_reviews: false + # Allow specified users to bypass pull request requirements + dismissal_restrictions: {} + + # Require status checks to pass before merging + required_status_checks: + # Require branches to be up to date before merging + strict: true + # Status checks that are required + contexts: + - "build" + + # Enforce restrictions for administrators + enforce_admins: false + + # Prevent force pushes + allow_force_pushes: false + + # Prevent branch deletion + allow_deletions: false + + # Require linear history + required_linear_history: false + + # Require conversation resolution before merging + required_conversation_resolution: true diff --git a/.github/workflows/branch-protection-check.yml b/.github/workflows/branch-protection-check.yml new file mode 100644 index 0000000..2bdfb7e --- /dev/null +++ b/.github/workflows/branch-protection-check.yml @@ -0,0 +1,50 @@ +name: Branch Protection Check + +on: + push: + branches: + - main + pull_request: + branches: + - main + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Set up Python + uses: actions/setup-python@v4 + with: + python-version: '3.9' + + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install -r requirements.txt + + - name: Lint with flake8 + run: | + pip install flake8 + # Stop the build if there are Python syntax errors or undefined names + flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics --exclude=env,venv,.venv,alembic,frontend + # Exit-zero treats all errors as warnings + flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics --exclude=env,venv,.venv,alembic,frontend + continue-on-error: true + + - name: Run basic tests + run: | + # Run any existing tests + if [ -f "test.py" ]; then + echo "Running basic tests..." + python test.py || echo "Tests completed with warnings" + fi + continue-on-error: true + + - name: Check branch protection status + run: | + echo "✅ Branch protection check completed" + echo "This workflow ensures code quality before merging to main" diff --git a/BRANCH_PROTECTION.md b/BRANCH_PROTECTION.md new file mode 100644 index 0000000..c363055 --- /dev/null +++ b/BRANCH_PROTECTION.md @@ -0,0 +1,172 @@ +# Branch Protection Guide + +This document explains how branch protection is configured for this repository to ensure code quality and prevent accidental or malicious changes to the main branch. + +## What is Branch Protection? + +Branch protection rules help enforce certain workflows and quality standards before code can be merged into important branches like `main`. These rules prevent: +- Force pushes that could overwrite history +- Accidental deletion of important branches +- Merging code without proper review or testing + +## Configuration Files + +### 1. `.github/settings.yml` + +This file contains the branch protection rules that can be automatically applied using the [Probot Settings app](https://github.com/probot/settings). The configuration includes: + +- **Pull Request Reviews**: Requires at least 1 approving review before merging +- **Status Checks**: Requires the "build" workflow to pass before merging +- **Force Push Protection**: Prevents force pushes to the main branch +- **Deletion Protection**: Prevents the main branch from being deleted +- **Conversation Resolution**: Requires all PR conversations to be resolved before merging + +### 2. `.github/workflows/branch-protection-check.yml` + +This GitHub Actions workflow runs automatically on: +- Pushes to the main branch +- Pull requests targeting the main branch + +The workflow performs: +- Code checkout +- Python environment setup +- Dependency installation +- Linting with flake8 +- Basic test execution + +### 3. `.github/CODEOWNERS` + +Defines code owners who are automatically requested for review when pull requests are opened. This ensures that the right people review changes to specific parts of the codebase. + +## How to Apply Branch Protection Rules + +### Option 1: Using Probot Settings App (Recommended) + +1. Install the [Probot Settings app](https://github.com/apps/settings) on your repository +2. The app will automatically read the `.github/settings.yml` file +3. Branch protection rules will be applied automatically + +### Option 2: Manual Configuration via GitHub UI + +1. Go to your repository on GitHub +2. Click on **Settings** → **Branches** +3. Under "Branch protection rules", click **Add rule** +4. Configure the following settings: + + **Branch name pattern**: `main` + + ✅ **Require a pull request before merging** + - Require approvals: 1 + - Dismiss stale pull request approvals when new commits are pushed + + ✅ **Require status checks to pass before merging** + - Require branches to be up to date before merging + - Status checks: Select "build" (from GitHub Actions workflow) + + ✅ **Require conversation resolution before merging** + + ✅ **Do not allow bypassing the above settings** (Optional) + + ✅ **Restrict who can push to matching branches** (Optional) + + ✅ **Do not allow force pushes** + + ✅ **Do not allow deletions** + +5. Click **Create** to save the rule + +### Option 3: Using GitHub API or CLI + +You can also use the GitHub API or GitHub CLI to configure branch protection programmatically. See the [GitHub API documentation](https://docs.github.com/en/rest/branches/branch-protection) for details. + +Example using GitHub CLI: +```bash +gh api repos/OneM1/Fastapi/branches/main/protection \ + --method PUT \ + --field required_status_checks='{"strict":true,"contexts":["build"]}' \ + --field enforce_admins=false \ + --field required_pull_request_reviews='{"required_approving_review_count":1,"dismiss_stale_reviews":true}' \ + --field restrictions=null \ + --field allow_force_pushes=false \ + --field allow_deletions=false \ + --field required_conversation_resolution=true +``` + +## Benefits of Branch Protection + +1. **Code Quality**: Ensures all code is reviewed before merging +2. **Testing**: Prevents broken code from reaching production +3. **History Preservation**: Protects against force pushes that could lose work +4. **Collaboration**: Enforces team review processes +5. **Security**: Prevents unauthorized changes to critical branches + +## Working with Protected Branches + +### Creating a Pull Request + +1. Create a new branch from main: + ```bash + git checkout -b feature/my-feature + ``` + +2. Make your changes and commit: + ```bash + git add . + git commit -m "Add my feature" + ``` + +3. Push your branch: + ```bash + git push origin feature/my-feature + ``` + +4. Open a pull request on GitHub + +5. Wait for: + - Status checks to pass + - At least 1 review approval + - All conversations to be resolved + +6. Merge the pull request + +### If Status Checks Fail + +1. Review the error messages in the GitHub Actions workflow +2. Fix the issues in your branch +3. Push the fixes +4. Status checks will run again automatically + +### If Review is Requested + +1. Address reviewer feedback +2. Push additional commits or make requested changes +3. Request re-review if needed + +## Troubleshooting + +### "Required status check is missing" + +Make sure the GitHub Actions workflow has run at least once. Push a commit to your pull request to trigger it. + +### "Branch protection rules not applied" + +If using Probot Settings app, ensure it's properly installed. Otherwise, apply rules manually via GitHub Settings. + +### "Cannot push to protected branch" + +This is expected behavior. Create a pull request instead of pushing directly to main. + +## Additional Resources + +- [GitHub Branch Protection Documentation](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches) +- [GitHub Actions Documentation](https://docs.github.com/en/actions) +- [Probot Settings App](https://github.com/probot/settings) + +## Summary + +Branch protection is now configured for this repository through: +- Configuration files in `.github/` +- GitHub Actions workflow for automated checks +- CODEOWNERS file for automatic review requests + +To fully activate these protections, apply the branch protection rules using one of the methods described above. diff --git a/README.md b/README.md index 24d416b..1859650 100644 --- a/README.md +++ b/README.md @@ -177,6 +177,14 @@ The frontend will be available at `http://localhost:5173` Contributions are welcome! Please feel free to submit a Pull Request. +### Branch Protection + +This repository uses branch protection rules to maintain code quality and prevent accidental changes. Please see [BRANCH_PROTECTION.md](BRANCH_PROTECTION.md) for details on: +- How branch protection is configured +- How to apply protection rules +- Working with protected branches +- Creating pull requests + ## License This project is open source and available under the MIT License. From 0c2b806f10304c23705a06d70ef55a95b2626bb3 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 9 Feb 2026 08:33:43 +0000 Subject: [PATCH 3/4] Fix workflow to properly enforce status checks without continue-on-error Co-authored-by: OneM1 <111998759+OneM1@users.noreply.github.com> --- .github/ISSUE_TEMPLATE/bug_report.md | 32 +++++++++++++++++++ .github/ISSUE_TEMPLATE/feature_request.md | 19 +++++++++++ .github/workflows/branch-protection-check.yml | 8 ++--- 3 files changed, 55 insertions(+), 4 deletions(-) create mode 100644 .github/ISSUE_TEMPLATE/bug_report.md create mode 100644 .github/ISSUE_TEMPLATE/feature_request.md diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md new file mode 100644 index 0000000..117d131 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -0,0 +1,32 @@ +--- +name: Bug Report +about: Create a report to help us improve +title: '[BUG] ' +labels: bug +assignees: '' +--- + +**Describe the bug** +A clear and concise description of what the bug is. + +**To Reproduce** +Steps to reproduce the behavior: +1. Go to '...' +2. Click on '....' +3. Scroll down to '....' +4. See error + +**Expected behavior** +A clear and concise description of what you expected to happen. + +**Screenshots** +If applicable, add screenshots to help explain your problem. + +**Environment (please complete the following information):** + - OS: [e.g. Windows, macOS, Linux] + - Python Version: [e.g. 3.9] + - Browser: [e.g. chrome, safari] + - Version: [e.g. 22] + +**Additional context** +Add any other context about the problem here. diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md new file mode 100644 index 0000000..bfbf8ee --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature_request.md @@ -0,0 +1,19 @@ +--- +name: Feature Request +about: Suggest an idea for this project +title: '[FEATURE] ' +labels: enhancement +assignees: '' +--- + +**Is your feature request related to a problem? Please describe.** +A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] + +**Describe the solution you'd like** +A clear and concise description of what you want to happen. + +**Describe alternatives you've considered** +A clear and concise description of any alternative solutions or features you've considered. + +**Additional context** +Add any other context or screenshots about the feature request here. diff --git a/.github/workflows/branch-protection-check.yml b/.github/workflows/branch-protection-check.yml index 2bdfb7e..e9e3f35 100644 --- a/.github/workflows/branch-protection-check.yml +++ b/.github/workflows/branch-protection-check.yml @@ -31,18 +31,18 @@ jobs: pip install flake8 # Stop the build if there are Python syntax errors or undefined names flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics --exclude=env,venv,.venv,alembic,frontend - # Exit-zero treats all errors as warnings + # Warn about other style issues but don't fail the build flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics --exclude=env,venv,.venv,alembic,frontend - continue-on-error: true - name: Run basic tests run: | # Run any existing tests if [ -f "test.py" ]; then echo "Running basic tests..." - python test.py || echo "Tests completed with warnings" + python test.py + else + echo "No test.py found, skipping tests" fi - continue-on-error: true - name: Check branch protection status run: | From d11d969b7d4255c703244a755ff5484cadc50473 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 9 Feb 2026 08:34:44 +0000 Subject: [PATCH 4/4] Add explicit permissions to workflow for security (fix CodeQL alert) Co-authored-by: OneM1 <111998759+OneM1@users.noreply.github.com> --- .github/workflows/branch-protection-check.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/branch-protection-check.yml b/.github/workflows/branch-protection-check.yml index e9e3f35..1ed5e53 100644 --- a/.github/workflows/branch-protection-check.yml +++ b/.github/workflows/branch-protection-check.yml @@ -12,6 +12,10 @@ jobs: build: runs-on: ubuntu-latest + # Set explicit permissions for GITHUB_TOKEN to follow principle of least privilege + permissions: + contents: read + steps: - name: Checkout code uses: actions/checkout@v3