.github/workflows/setup-branch-protection.yml

name: Setup Branch Protection

on:
  workflow_dispatch:
    inputs:
      branch:
        description: 'Branch to protect'
        required: true
        default: 'main'
      required_reviews:
        description: 'Number of required reviews'
        required: true
        default: '2'
      required_status_checks:
        description: 'Required status checks (comma-separated)'
        required: true
        default: 'ci-cd/quality-check,ci-cd/test,ci-cd/security,ci-cd/backtesting'

jobs:
  setup-protection:
    name: Setup Branch Protection
    runs-on: ubuntu-latest
    
    steps:
    - name: Checkout code
      uses: actions/checkout@v4
      
    - name: Setup Branch Protection
      run: |
        BRANCH="${{ github.event.inputs.branch }}"
        REVIEWS="${{ github.event.inputs.required_reviews }}"
        CHECKS="${{ github.event.inputs.required_status_checks }}"
        
        # Convert comma-separated checks to JSON array
        CHECKS_JSON=$(echo "[$(echo $CHECKS | sed 's/,/","/g' | sed 's/^/"/' | sed 's/$/"/')]")
        
        echo "Setting up protection for branch: $BRANCH"
        echo "Required reviews: $REVIEWS"
        echo "Required checks: $CHECKS"
        
        # Enable branch protection
        gh api repos/${{ github.repository }}/branches/$BRANCH/protection \
          --method PUT \
          --field required_status_checks="{\"strict\":true,\"contexts\":$CHECKS_JSON}" \
          --field enforce_admins=true \
          --field required_pull_request_reviews="{\"required_approving_review_count\":$REVIEWS,\"dismiss_stale_reviews\":true,\"require_code_owner_reviews\":true}" \
          --field restrictions=null \
          --field allow_force_pushes=false \
          --field allow_deletions=false
        
        echo "✅ Branch protection enabled for $BRANCH"
        
    - name: Verify Protection
      run: |
        BRANCH="${{ github.event.inputs.branch }}"
        
        echo "Verifying branch protection for $BRANCH..."
        
        # Get protection status
        PROTECTION=$(gh api repos/${{ github.repository }}/branches/$BRANCH/protection)
        
        echo "Protection status:"
        echo "$PROTECTION" | jq '.'
        
        # Check if protection is enabled
        if echo "$PROTECTION" | jq -e '.required_status_checks' > /dev/null; then
          echo "✅ Branch protection is active"
        else
          echo "❌ Branch protection not properly configured"
          exit 1
        fi