enforce admins off/on for push

kazuk · kazuk · commit f8148e26df7e · 2022-07-24T18:17:41.000+09:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -96,12 +96,26 @@ jobs:
           git status -v >> $GITHUB_STEP_SUMMARY
           echo '```' >> $GITHUB_STEP_SUMMARY
 
+      - name: Turn off enforce admin
+        env: 
+          GITHUB_TOKEN: ${{ secrets.GHPAT_FOR_PUSH_RELEASE }}
+        run: |
+          source .github/workflows/scripts/github-branch-protection.bash
+          enforce_admins_off
+
       - name: git push
         run: |
           git remote set-url origin "https://github-actions:${{ secrets.GHPAT_FOR_PUSH_RELEASE }}@github.com/${GITHUB_REPOSITORY}"
           git push -v --force origin main
           git push -v --force origin "v${RELEASE_VERSION}"
 
+      - name: Turn on enforce admin
+        env: 
+          GITHUB_TOKEN: ${{ secrets.GHPAT_FOR_PUSH_RELEASE }}
+        run: |
+          source .github/workflows/scripts/github-branch-protection.bash
+          enforce_admins_on
+
       - name: cargo publish
         run: |
           # load helper script
diff --git a/.github/workflows/scripts/github-branch-protection.bash b/.github/workflows/scripts/github-branch-protection.bash
@@ -0,0 +1,39 @@
+function get_current_branch_protection_setting() {
+    gh api --method GET repos/${OWNER}/${REPO}/branches/${BRANCH}/protection | jq '
+    {
+        required_status_checks: null,
+        restrictions: { 
+            users: .restrictions.users | [.[].login],
+            teams: .restrictions.teams | [.[].slug],
+            apps: .restrictions.apps | [.[].slug]
+        },
+        enforce_admins: .enforce_admins.enabled ,
+        required_pull_request_reviews: {
+        dismiss_stale_reviews: .required_pull_request_reviews.dismiss_stale_reviews,
+        require_code_owner_reviews: .required_pull_request_reviews.require_code_owner_reviews,
+        required_approving_review_count: .required_pull_request_reviews.required_approving_review_count
+        },
+        required_linear_history: .required_linear_history.enabled,
+        required_signatures: .required_signatures.enabled,
+        allow_force_pushes: .allow_force_pushes.enabled,
+        allow_deletions: .allow_deletions.enabled,
+        block_reations: .block_creations.enabled,
+        required_conversation_resolution: .required_conversation_resolution.enabled
+    }'
+}
+
+function apply_branch_protection_setting() {
+    gh api --method PUT -H "Accept: application/vnd.github+json" --input - repos/${OWNER}/${REPO}/branches/${BRANCH}/protection
+}
+
+function enfore_admins_off() {
+    get_current_branch_protection_setting | jq '.enforce_admins = false' | apply_branch_protection_setting
+}
+
+export -f enfore_admins_off
+
+function enfore_admins_on() {
+    get_current_branch_protection_setting | jq '.enforce_admins = true' | apply_branch_protection_setting
+}
+
+export -f enfore_admins_on
