Automate protection/unprotection of master during release

[Mierdin]

We should look into unprotecting and protecting master programmatically. Several workflows in st2cd push directly to master in a few repos - and currently we have to unprotect (and more importantly remember to re-protect) manually.

[arm4b]

+1 on this.

It will also help us to automate st2cicd node creation and committing new Terraform resources to ops-infra. At the moment we need to sync up 3 places: st2cicd, ops-infra master and ops-infra NOMERGE/build-node cc @bigmstone

[bigmstone]

I'm -1 to protect/unprotect. I'd rather programmatically create a PR, approve it, and merge it. This will keep a better audit trail and easier to parse diff in github. I'm going to attempt to tackle this in st2cicd and see what the limitations are. If successful someone can copy the method over for release mgmt.

[Mierdin]

Agreed, creation of a PR would be a better way to go, just a bit more work

[arm4b]

This definitely should be automated, since applying this manually is error-prone:

note the ci/circleci: deploy (required) task which was included by mistake by the release manager during master unprotection/protection.

[arm4b]

We just have found a possible easy solution for this issue.

For branch protection, Github has an option to enforce status checks for Administrators.
If unchecked, repo administrator (esteetew during the release automation) can push directly to master.

---

... the only problem is that everyone is administrator.

At least release automation can check/uncheck only one single setting, instead of unprotecting entire branch configuration.

It's 1 simple API (boolean) call:

• Protect: https://developer.github.com/v3/repos/branches/#add-admin-enforcement-of-protected-branch
• Unprotect: https://developer.github.com/v3/repos/branches/#remove-admin-enforcement-of-protected-branch