cloudfoundry · rkoster · Jun 24, 2025 · Jul 1, 2025
diff --git a/orgs/org_management.py b/orgs/org_management.py
@@ -192,18 +192,17 @@ def generate_teams(self):
 
     def generate_branch_protection(self):
         # basis is static config in self.branch_protection which is never overwritten
-        # generate RFC0015 branch protection rules for every WG+TOC that opted in
+        # generate RFC0015 branch protection rules for every WG+TOC by default
         for org in OrgGenerator._MANAGED_ORGS:
             branch_protection_repos = self.branch_protection["branch-protection"]["orgs"][org]["repos"]
             wgs = self.working_groups[org]
             if org == self.toc["org"]:
                 wgs.append(self.toc)
             for wg in wgs:
-                if wg.get("config", {}).get("generate_rfc0015_branch_protection_rules", False):  # config is optional
-                    repo_rules = self._generate_wg_branch_protection(wg)
-                    for repo in repo_rules:
-                        if repo not in branch_protection_repos:
-                            branch_protection_repos[repo] = repo_rules[repo]
+                repo_rules = self._generate_wg_branch_protection(wg)
+                for repo in repo_rules:
+                    if repo not in branch_protection_repos:
+                        branch_protection_repos[repo] = repo_rules[repo]
 
     def write_org_config(self, path: str):
         print(f"Writing org configuration to {path}")

diff --git a/orgs/test_org_management.py b/orgs/test_org_management.py
@@ -164,8 +164,6 @@
   bots:
   - github: bot-wg1-a5
     name: WG3 Area5 Bot
-config:
-  generate_rfc0015_branch_protection_rules: true
 """
 
 wg4_other_org = """
@@ -206,8 +204,6 @@
   - cloudfoundry2/repo3
   - cloudfoundry2/repo4
   - cloudfoundry/repo5
-config:
-  generate_rfc0015_branch_protection_rules: true
 """
 
 toc = """
@@ -231,7 +227,6 @@
   repositories:
   - cloudfoundry/community
 config:
-  generate_rfc0015_branch_protection_rules: true
   github_project_sync:
     mapping:
       cloudfoundry: 31
@@ -732,8 +727,8 @@ def test_generate_branch_protection(self):
         bp_repos = o.branch_protection["branch-protection"]["orgs"]["cloudfoundry"]["repos"]
         # TOC and wg3 opted in, wg1 and wg2 not
         # note: repo1..4 are shared between wg1 (opt out) and wg3 (opt in) - wg3 wins
-        self.assertSetEqual({f"repo{i}" for i in range(1, 6)} | {"community"}, set(bp_repos.keys()))
-        # repo1 has static config that wins over generated branch protection rules
+        self.assertSetEqual({f"repo{i}" for i in list(range(1, 6)) + [10, 11]} | {"community"}, set(bp_repos.keys()))
+        # repo1 has static config that wins over generated branch protection rulesp
         self.assertTrue(bp_repos["repo1"]["protect"])
         self.assertNotIn("required_pull_request_reviews", bp_repos["repo1"])
 
@@ -749,7 +744,7 @@ def test_generate_branch_protection_multiple_orgs(self):
         bp_repos = o.branch_protection["branch-protection"]["orgs"]["cloudfoundry"]["repos"]
         # TOC and wg3 opted in, wg1 and wg2 not
         # note: repo1..4 are shared between wg1 (opt out) and wg3 (opt in) - wg3 wins
-        self.assertSetEqual({f"repo{i}" for i in range(1, 6)} | {"community"}, set(bp_repos.keys()))
+        self.assertSetEqual({f"repo{i}" for i in list(range(1, 6)) + [10, 11]} | {"community"}, set(bp_repos.keys()))
         # repo1 has static config that wins over generated branch protection rules
         self.assertTrue(bp_repos["repo1"]["protect"])
         self.assertNotIn("required_pull_request_reviews", bp_repos["repo1"])

diff --git a/toc/rfc/rfc-0015-branch-protection.md b/toc/rfc/rfc-0015-branch-protection.md
@@ -37,3 +37,11 @@ With respect to the approval of pull requests, we propose that the number of app
 * 1 approval will be required when a working group has 4 or more people in the approver role.
 
 The automation should allow to override the standard branch protection per respository using a configuration file maintained in this community repository. This allows working group leads e.g. to reduce the number of required approvals if several approvers are temporarily not available.
+
+## Amendments
+
+### Protection by Default
+
+To improve the security posture of the foundation, the branch protection rules defined in this RFC are applied by default to all repositories of all Working Groups. The previous opt-in mechanism via a flag in Working Group charters is removed.
+
+Working Groups can request exceptions for specific repositories by creating a pull request against `orgs/branchprotection.yml`. The pull request description MUST contain a justification for the exception.
diff --git a/toc/working-groups/app-runtime-deployments.md b/toc/working-groups/app-runtime-deployments.md
@@ -79,6 +79,4 @@ areas:
   - cloudfoundry/relint-team
   - cloudfoundry/runtime-ci
   - cloudfoundry/uptimer
-config:
-  generate_rfc0015_branch_protection_rules: true
 ```
diff --git a/toc/working-groups/app-runtime-interfaces.md b/toc/working-groups/app-runtime-interfaces.md
@@ -522,7 +522,4 @@ areas:
   repositories:
   - cloudfoundry/stratos
   - cloudfoundry/stratos-buildpack
-
-config:
-  generate_rfc0015_branch_protection_rules: true
 ```
diff --git a/toc/working-groups/app-runtime-platform.md b/toc/working-groups/app-runtime-platform.md
@@ -54,7 +54,6 @@ bots:
 - name: Cryogenics CI bot
   github: Cryogenics-CI
 config:
-  generate_rfc0015_branch_protection_rules: true
   github_project_sync:
     mapping:
       cloudfoundry: 41

diff --git a/toc/working-groups/cf-on-k8s.md b/toc/working-groups/cf-on-k8s.md
@@ -38,8 +38,6 @@ technical_leads:
 bots:
 - name: korifi-bot
   github: korifi-bot
-config:
-  generate_rfc0015_branch_protection_rules: true
 areas:
 - name: Korifi
   approvers: