feat: split up policy into two flags #9120

One controls the pull request review policy, and the second one prevents
collaborators from pushing directly to the default branch (prevents
commit merging as well, only doable by admins)

repo.schema.yaml

@@ -141,7 +141,7 @@ properties:
               The review workflow will trigger for pull requests and will check if the commit messages conform with
               conventional commits, and if cards are referenced as part of the commit message.
 
-      enforce_review_policy:
+      review_policy:
         type: boolean
         default: false
         description: >
@@ -153,6 +153,14 @@ properties:
           changes reviewed</li>
           </ul>
 
+      default_branch_push_protection:
+        type: boolean
+        default: false
+        description: >
+          Requires `enforce_review_policy` to be also enabled.
+          Prevents contributors with write access from pushing commits to the `default_branch` of the repository.
+          **Enabling this will disable the automatic merging of Dependabot PRs. `dependabot_auto_merge`**
+
       features:
         type: object
         description: GitHub features

tasks/generate-files.yaml

@@ -23,16 +23,27 @@
     path: "{{ repo_path }}/.github/workflows"
     state: directory
 
-- name: Generate repo-ansible workflow
-  ansible.builtin.copy:
-    src: ./templates/.github/workflows/repo-ansible.yaml
-    dest: "{{ repo_path }}/.github/workflows/repo-ansible.yaml"
+- when: repo.github.default_branch_push_protection
+  name: "disable workflows incompatible with {{ repo.github.default_branch }} branch push protection"
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - "{{ repo_path }}/.github/workflows/repo-ansible.yaml"
+    - "{{ repo_path }}/.github/workflows/dependabot-auto-merge.yaml"
+
+- when: not repo.github.default_branch_push_protection
+  block:
+  - name: Generate repo-ansible workflow
+    ansible.builtin.copy:
+      src: ./templates/.github/workflows/repo-ansible.yaml
+      dest: "{{ repo_path }}/.github/workflows/repo-ansible.yaml"
 
-- name: Generate dependabot automerge workflow
-  ansible.builtin.copy:
-    src: ./templates/.github/workflows/dependabot-auto-merge.yaml
-    dest: "{{ repo_path }}/.github/workflows/dependabot-auto-merge.yaml"
-  when: repo.github.features.dependabot_auto_merge
+  - name: Generate dependabot automerge workflow
+    ansible.builtin.copy:
+      src: ./templates/.github/workflows/dependabot-auto-merge.yaml
+      dest: "{{ repo_path }}/.github/workflows/dependabot-auto-merge.yaml"
+    when: repo.github.features.dependabot_auto_merge
 
 - name: Generate CODEOWNERS file
   template:

templates/.github/settings.yml.j2

@@ -79,19 +79,24 @@ labels:
     color: CC0000
     description: A repository chore.
 
-{% if repo.github.enforce_review_policy %}
+{% if repo.github.review_policy %}
 branches:
   # https://docs.github.com/en/rest/branches/branch-protection?apiVersion=2022-11-28#update-branch-protection
   - name: {{ repo.github.default_branch }}
     protection:
+      required_status_checks: null
       enforce_admins: true
       required_pull_request_reviews:
         dismiss_stale_reviews: true
         required_approving_review_count: 1
         require_last_push_approval: true
         bypass_pull_request_allowances:
           users: ["dependabot[bot]"]       # Dependabot exception for the automatic merging of patch/security fixes
-      restrictions: null
+      restrictions:
+{% if repo.github.default_branch_push_protection %}
+        users: []
+        teams: []
+{% endif %}
       allow_force_pushes: false
       allow_deletions: false
       required_conversation_resolution: true