branchprotector: remove protection from excluded branches

kaovilai · kaovilai · commit 2f7aa72a9d04 · 2025-06-16T09:13:24.000-04:00
Fix issue where excluded branches retain existing protection instead of being removed. When a branch is added to the exclude list in branchprotector configuration, the tool correctly stops applying new protection rules but does not remove existing protection from branches that were previously protected. This change adds logic to detect excluded branches that are currently protected and queue them for removal by sending requirements with Request: nil, which triggers RemoveBranchProtection() in the configureBranches() function. The fix prevents push failures like: remote: error: GH006: Protected branch update failed for refs/heads/konflux-branch remote: - Changes must be made through a pull request. Changes: - Add detection logic for excluded protected branches in UpdateRepo() - Send removal requests (Request: nil) for such branches - Update tests to expect removal requests for excluded protected branches - Add code comment explaining the call flow to RemoveBranchProtection Fixes #477
diff --git a/cmd/branchprotector/protect.go b/cmd/branchprotector/protect.go
@@ -326,11 +326,13 @@ func (p *protector) UpdateRepo(orgName string, repoName string, repo config.Repo
 	}
 
 	branches := map[string]github.Branch{}
+	var allBranches []github.Branch
 	for _, onlyProtected := range []bool{false, true} { // put true second so b.Protected is set correctly
 		bs, err := p.client.GetBranches(orgName, repoName, onlyProtected)
 		if err != nil {
 			return fmt.Errorf("list branches: %w", err)
 		}
+		allBranches = append(allBranches, bs...)
 		for _, b := range bs {
 			_, ok := repo.Branches[b.Name]
 			if !ok && branchInclusions != nil && branchInclusions.MatchString(b.Name) {
@@ -346,6 +348,27 @@ func (p *protector) UpdateRepo(orgName string, repoName string, repo config.Repo
 		}
 	}
 
+	// Handle excluded branches that are currently protected and need removal
+	if branchExclusions != nil {
+		seen := make(map[string]bool)
+		for _, b := range allBranches {
+			if b.Protected && branchExclusions.MatchString(b.Name) && !seen[b.Name] {
+				seen[b.Name] = true
+				// Check if this branch is not in the branches map (i.e., it was excluded)
+				if _, inBranches := branches[b.Name]; !inBranches {
+					logrus.Infof("%s/%s=%s: removing protection from excluded branch", orgName, repoName, b.Name)
+					p.updates <- requirements{
+						Org:     orgName,
+						Repo:    repoName,
+						Branch:  b.Name,
+						Request: nil, // nil Request triggers RemoveBranchProtection
+						// Flow: updates channel -> configureBranches() -> client.RemoveBranchProtection()
+					}
+				}
+			}
+		}
+	}
+
 	var apps, collaborators, teams []string
 	if p.verifyRestrictions {
 		apps, err = p.authorizedApps(orgName)
diff --git a/cmd/branchprotector/protect_test.go b/cmd/branchprotector/protect_test.go
@@ -1109,6 +1109,12 @@ branch-protection:
 `,
 
 			expected: []requirements{
+				{
+					Org:     "kubernetes",
+					Repo:    "test-infra",
+					Branch:  "skip",
+					Request: nil, // nil Request triggers RemoveBranchProtection
+				},
 				{
 					Org:     "kubernetes",
 					Repo:    "test-infra",
@@ -1133,6 +1139,18 @@ branch-protection:
           - sk.*
 `,
 			expected: []requirements{
+				{
+					Org:     "kubernetes",
+					Repo:    "test-infra",
+					Branch:  "skip",
+					Request: nil, // nil Request triggers RemoveBranchProtection
+				},
+				{
+					Org:     "kubernetes",
+					Repo:    "test-infra",
+					Branch:  "foobar1",
+					Request: nil, // nil Request triggers RemoveBranchProtection
+				},
 				{
 					Org:     "kubernetes",
 					Repo:    "test-infra",
