From 9bfbf209b6462b60fdb2e5a32d3a16d2aff662e2 Mon Sep 17 00:00:00 2001
From: Daniel Maksymilian Syrnicki <info@danielmaksymilian.com>
Date: Thu, 16 Apr 2026 13:02:25 +0200
Subject: [PATCH] ops(forgejo): whitelist owner in branch protection push rule
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Earlier config was enable_push=false + apply_to_admins=false, which I
expected to let the repo owner push directly. Empirically it blocked
owner pushes too — apply_to_admins governs approval-rule bypass, not
push-rule bypass. Switch to enable_push=true with enable_push_whitelist
and a single entry so the owner has explicit, auditable direct-push
access while casual commits still can't land without being whitelisted
or going through a PR.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 ops/forgejo/branch-protection.json | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ops/forgejo/branch-protection.json b/ops/forgejo/branch-protection.json
index 0f34550..b0ac04e 100644
--- a/ops/forgejo/branch-protection.json
+++ b/ops/forgejo/branch-protection.json
@@ -1,5 +1,7 @@
 {
-  "enable_push": false,
+  "enable_push": true,
+  "enable_push_whitelist": true,
+  "push_whitelist_usernames": ["daniel"],
   "enable_status_check": true,
   "status_check_contexts": [
     "CI / lint*",