nixos-20.09 got force push?

[mohe2015]

Issue description

Hi, I just got:

git fetch upstream 
remote: Enumerating objects: 1078, done.
remote: Counting objects: 100% (1078/1078), done.
remote: Compressing objects: 100% (27/27), done.
remote: Total 1547 (delta 1054), reused 1069 (delta 1051), pack-reused 469
Receiving objects: 100% (1547/1547), 1.08 MiB | 3.01 MiB/s, done.
Resolving deltas: 100% (1189/1189), completed with 327 local objects.
From github.com:NixOS/nixpkgs
   8eb0bdc1469..bede7ee08c6  haskell-updates      -> upstream/haskell-updates
   c8d8d172933..80badc893dc  master               -> upstream/master
 + aa5b9cd16b9...808b5dd5cbb nixos-20.09          -> upstream/nixos-20.09  (forced update)
   d7d6f82e869..6d06166fb72  nixos-20.09-small    -> upstream/nixos-20.09-small
   5ff4a674125..79150e05734  nixos-unstable-small -> upstream/nixos-unstable-small
   875bcac79d4..0768790e7cd  nixpkgs-20.09-darwin -> upstream/nixpkgs-20.09-darwin
   875bcac79d4..3d8fa5f7215  release-20.09        -> upstream/release-20.09
   e85084a85bd..44f5b1d3bd2  staging              -> upstream/staging
   8f2460d407f..7172fda5c71  staging-20.09        -> upstream/staging-20.09
   318e673af06..730ff71234d  staging-next         -> upstream/staging-next

Why is nixos-20.09 not protected from force pushes and why was there a force push?

[mohe2015]

nixos-20.09...aa5b9cd maybe aa5b9cd got removed?

Edit: aa5b9cd...nixos-20.09
ok I don't understand git, sorry for my stupidity

[primeos]

Seems like this happened here: #107699
Relevant IRC logs: https://logs.nix.samueldr.com/nixos/2021-01-14#4470627;

Can we block PRs to nixos-* branches to avoid such accidents (which can happen very easily) in the future?
IIRC GitHub does at least allow restricting push access to certain branches (patterns can be used, e.g. nixos-*) and that should hopefully also prevent the accidental merging of PRs via the web UI. We could then restrict the push access for nixos-* to @NixOS/channel-updaters (i.e. @nixos-channel-bot).
Edit: From the IRC logs it looks like everything is already configured correctly but apparently it doesn't work for org admins.

(And an ofborg warning would be helpful as well. IRC: "OfBorg should probably scream when somebody tries to PR into nixos-*")

cc @NixOS/infra

[domenkozar]

I've posted https://gh.neting.ccmunity/t/protect-branch-push-from-administrators/155827

[zimbatm]

One way to work around that issue would be to add a "never-pass" CI check, that never succeeds. And then add it to the branch protection:

[zimbatm]

^ see the mention for a proposed fix.

[mohe2015]

An additional protection may be a client-side hook to prevent direct pushes. This is of course just to avoid accidents as it would not actually protect anything. This would need manual installation though.

[edolstra]

@zimbatm Wouldn't that also prevent the channel mirroring script from pushing?

[zimbatm]

@edolstra not this PR, but the branch protection might. I think it's fine, but we need to test it. I think the best would be to sync on IRC and try it, see if it breaks anything, and quickly revert otherwise. Worst case, we still have the PR returning a broken status, but not enforced.

[stale]

I marked this as stale due to inactivity. → More info

[mohe2015]

root causes still an issue afaik

[primeos]

I guess with #109543 merged this can be closed then. At least that check should avoid the problem caused this issue.
As for branch protection rules in general I've opened #121589 a while ago.