As part of securing our build environments, we want to apply consistent rules across all of our gitlab repositories where we do development work.

Each repository with development work or production work should be configured in the same way, to

• Require all contributors to have 2FA enabled in gitlab
• Include branch protection on all development and stable branches so that the branches can only be changed via a reviewed MR
• Require review from another person before merging code
• Require the CI pipeline to succeed before merging changes
• Require all threads on a review to be resolved before merging changes
• Remove all approvals to an MR if a commit is added
• Only allow users with Maintainer or Owner role to merge changes
• Only allow users with Maintainer or Owner role to add tags
• Do not allow users to remove git tags by pushing
• Prevent pushing secret files
• Use the merge approach of always including a merge commit
• Include a template for MR merge commits that shows who reviewed, approved, and merged the change

The builder repository has all of these flags set and can be used to understand how to configure them on another repository.

To complete this work we need to add automation to the https://gitlab.com/redhat/rhel-ai/core/infrastructure repository to manage a list of development repositories, similar to the product repos and mirror repos that are managed by that code today.

When the list of development repositories is updated, the rules above should be applied to every item in the list, as we do with other settings for the other repos. This ensures that if we add more rules later they are applied consistently.

The same set of rules needs to be applied to the pipeline repositories created by the code that manages the product repositories.