GHA-163 Add Lock Branch Action to manage branch protection settings (#81)

Author: nils-werner-sonarsource

.github/workflows/test-all.yml

@@ -41,3 +41,6 @@ jobs:
 
   test-update-rule-metadata:
     uses: ./.github/workflows/test-update-rule-metadata.yml
+
+  test-lock-branch:
+    uses: ./.github/workflows/test-lock-branch.yml

.github/workflows/test-lock-branch.yml

@@ -0,0 +1,42 @@
+name: Test Lock Branch Action
+
+on:
+  workflow_call:
+  pull_request:
+    paths:
+      - 'lock-branch/**'
+      - '.github/workflows/test-lock-branch.yml'
+  push:
+    branches:
+      - branch-*
+    paths:
+      - 'lock-branch/**'
+      - '.github/workflows/test-lock-branch.yml'
+  workflow_dispatch:
+
+jobs:
+  unit-tests:
+    name: Run Unit Tests
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+        with:
+          python-version: '3.10'
+          cache: 'pip'
+          cache-dependency-path: lock-branch/requirements.txt
+
+      - name: Install dependencies
+        run: |
+          cd lock-branch
+          pip install -r requirements.txt
+          pip install pytest pytest-cov
+
+      - name: Run unit tests
+        run: |
+          cd lock-branch
+          python -m pytest test_utils.py test_lock_branch.py test_notify_slack.py -v --cov=utils --cov=lock_branch --cov=notify_slack --cov-report=term-missing

CLAUDE.md

@@ -6,8 +6,18 @@ This file provides guidance to Claude Code (claude.ai/code) when working with co
 
 This is a collection of reusable GitHub Actions for automating SonarSource analyzer releases. Actions handle Jira integration (tickets, versions, release notes), GitHub releases, cross-repository updates, and Slack notifications.
 
+## Branching
+
+**Important:** Changes must always be made on a feature branch, never directly on `master`.
+- If on `master`, create a new branch using the format: `ab/<feature-name>` (e.g., `ab/add-slack-notifications`)
+- The prefix `ab` represents the developer's initials (first letter of first name + first letter of last name)
+- Adapt `<feature-name>` based on the task/prompt (use lowercase, hyphen-separated)
+- If already on a feature branch, do not create a new branch—continue working on the current branch
+
 ## Testing
 
+**Important:** When making any code changes, always check if there are related tests that need to be updated. Always run the tests after making changes to ensure nothing is broken.
+
 ### Run all tests (CI)
 Tests run automatically via GitHub Actions. To trigger manually:
 - Push to `master` runs `.github/workflows/test-all.yml`

README.md

@@ -11,12 +11,16 @@ A centralized collection of reusable GitHub Actions designed to streamline and a
 * [**Get Jira Release Notes**](get-jira-release-notes/README.md): Fetches Jira release notes and generates the release notes URL for a given project and version.
 * [**Get Jira Version**](get-jira-version/README.md): Extracts a Jira-compatible version number from a release version by formatting it appropriately for Jira.
 * [**Get Release Version**](get-release-version/README.md): Extracts the release version from the repox status on a specified branch.
+* [**Lock Branch**](lock-branch/README.md): Locks or unlocks a branch by modifying the `lock_branch` setting in branch protection rules.
 * [**Notify Slack on Failure**](notify-slack/README.md): Sends a Slack notification when a job fails.
 * [**Publish GitHub Release**](publish-github-release/README.md): Publishes a GitHub Release with notes fetched from Jira or provided directly.
 * [**Release Jira Version**](release-jira-version/README.md): Releases a Jira version and creates the next one.
 * [**Update Analyzer**](update-analyzer/README.md): Updates an analyzer version in SonarQube or SonarCloud and creates a pull request.
 * [**Update Release Ticket Status**](update-release-ticket-status/README.md): Updates the status of a Jira release ticket and can change its assignee.
 * [**Update Rule Metadata**](update-rule-metadata/README.md): Automates updating rule metadata across all supported languages using the rule-api tooling.
+
+## Available Workflows
+
 * [**Automated Release Workflow**](docs/AUTOMATED_RELEASE.md): Orchestrates the end-to-end release across Jira and GitHub, with optional integration tickets and analyzer PRs.
 
 ## Development

lock-branch/README.md

@@ -0,0 +1,127 @@
+# Lock Branch Action
+
+This GitHub Action locks or unlocks a branch by modifying the `lock_branch` setting in branch protection rules.
+
+## Description
+
+The action modifies branch protection settings to:
+- **Freeze (lock)**: Prevent all pushes and merges to the branch
+- **Unfreeze (unlock)**: Allow normal operations on the branch
+
+This is useful for temporarily locking a branch during release processes.
+
+## Prerequisites
+
+- Branch protection must be enabled on the target branch (or will be created with minimal settings)
+- GitHub token with `administration:write` permissions
+
+## Inputs
+
+| Input | Description | Required | Default |
+|-------|-------------|----------|---------|
+| `branch` | The branch name to lock/unlock | Yes | - |
+| `freeze` | Set to `true` to lock (freeze), `false` to unlock (unfreeze) | Yes | - |
+| `slack-channel` | Slack channel to notify about state changes | No | - |
+| `github-token` | GitHub token with admin permissions | No | From Vault |
+| `slack-token` | Slack token for notifications | No | From Vault |
+
+## Outputs
+
+| Output | Description |
+|--------|-------------|
+| `previous-state` | The previous lock state (`true`/`false`) |
+| `current-state` | The current lock state (`true`/`false`) |
+| `branch` | The branch that was modified |
+
+## Usage
+
+### Lock (freeze) a branch
+
+```yaml
+- name: Freeze master branch
+  uses: SonarSource/release-github-actions/lock-branch@v1
+  with:
+    branch: master
+    freeze: true
+    slack-channel: '#releases'
+```
+
+### Unlock (unfreeze) a branch
+
+```yaml
+- name: Unfreeze master branch
+  uses: SonarSource/release-github-actions/lock-branch@v1
+  with:
+    branch: master
+    freeze: false
+    slack-channel: '#releases'
+```
+
+### Use in automated release workflow
+
+```yaml
+jobs:
+  freeze-branch:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+    steps:
+      - uses: SonarSource/release-github-actions/lock-branch@v1
+        with:
+          branch: ${{ inputs.branch }}
+          freeze: true
+          slack-channel: ${{ inputs.slack-channel }}
+
+  # ... release steps ...
+
+  unfreeze-branch:
+    needs: [release-steps]
+    if: always()
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+    steps:
+      - uses: SonarSource/release-github-actions/lock-branch@v1
+        with:
+          branch: ${{ inputs.branch }}
+          freeze: false
+          slack-channel: ${{ inputs.slack-channel }}
+```
+
+## Behavior
+
+### Locking a branch
+- Sets `lock_branch: true` in branch protection settings
+- Prevents all pushes and merges to the branch
+- Preserves all other existing branch protection settings
+
+### Unlocking a branch
+- Sets `lock_branch: false` in branch protection settings
+- Allows normal push and merge operations
+- Preserves all other existing branch protection settings
+
+### Idempotent operation
+- If the branch is already in the requested state, no changes are made
+- The action will succeed and report the current state
+
+### No existing protection
+- If the branch has no existing protection, minimal protection is created with just the lock setting
+- Existing protection settings are always preserved when updating
+
+## Slack Notifications
+
+When `slack-channel` is provided, the action sends a notification with:
+- Lock/unlock icon indicating the action taken
+- Branch name and repository
+- Link to the workflow run
+
+## Error Handling
+
+The action will fail if:
+- GitHub authentication fails
+- Branch protection cannot be updated (e.g., insufficient permissions)
+- API request fails
+
+The action will succeed with a warning if:
+- No branch protection exists (will create minimal protection with lock)
+- Branch is already in the requested state

lock-branch/action.yml

@@ -0,0 +1,81 @@
+name: 'Lock Branch'
+description: 'Locks or unlocks a branch by modifying the lock_branch setting in branch protection rules.'
+
+inputs:
+  branch:
+    description: 'The branch name to lock/unlock'
+    required: true
+  freeze:
+    description: 'Set to true to lock (freeze) the branch, false to unlock (unfreeze)'
+    required: true
+  slack-channel:
+    description: 'Optional Slack channel to notify about the state change'
+    required: false
+  github-token:
+    description: 'GitHub token with admin permissions (defaults to Vault)'
+    required: false
+  slack-token:
+    description: 'Slack token for notifications (defaults to Vault)'
+    required: false
+
+outputs:
+  branch:
+    description: 'The branch that was modified'
+    value: ${{ steps.run_python_script.outputs.branch }}
+  previous-state:
+    description: 'The previous lock state of the branch (true/false)'
+    value: ${{ steps.run_python_script.outputs.previous_state }}
+  current-state:
+    description: 'The current lock state of the branch (true/false)'
+    value: ${{ steps.run_python_script.outputs.current_state }}
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Get Secrets from Vault
+      id: secrets
+      if: ${{ !inputs.github-token || (!inputs.slack-token && inputs.slack-channel) }}
+      uses: SonarSource/vault-action-wrapper@v3
+      with:
+        secrets: |
+          development/github/token/{REPO_OWNER_NAME_DASH}-lock token | GITHUB_LOCK_TOKEN;
+          development/kv/data/slack token | SLACK_TOKEN;
+
+    - name: Set up Python
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      with:
+        python-version: '3.10'
+
+    - name: Install dependencies
+      shell: bash
+      run: pip install -r ${{ github.action_path }}/requirements.txt
+
+    - name: Lock/Unlock Branch
+      id: run_python_script
+      shell: bash
+      env:
+        GITHUB_TOKEN: ${{ inputs.github-token || fromJSON(steps.secrets.outputs.vault).GITHUB_LOCK_TOKEN }}
+        INPUT_BRANCH: ${{ inputs.branch }}
+        INPUT_FREEZE: ${{ inputs.freeze }}
+      run: |
+        python ${{ github.action_path }}/lock_branch.py \
+          --branch "$INPUT_BRANCH" \
+          --freeze "$INPUT_FREEZE" \
+          --repository "${{ github.repository }}" \
+          >> $GITHUB_OUTPUT
+
+    - name: Send Slack Notification
+      if: ${{ inputs.slack-channel != '' }}
+      shell: bash
+      env:
+        SLACK_TOKEN: ${{ inputs.slack-token || fromJSON(steps.secrets.outputs.vault).SLACK_TOKEN }}
+        INPUT_CHANNEL: ${{ inputs.slack-channel }}
+        INPUT_BRANCH: ${{ inputs.branch }}
+        INPUT_FREEZE: ${{ inputs.freeze }}
+      run: |
+        python ${{ github.action_path }}/notify_slack.py \
+          --channel "$INPUT_CHANNEL" \
+          --branch "$INPUT_BRANCH" \
+          --repository "${{ github.repository }}" \
+          --freeze "$INPUT_FREEZE" \
+          --run-url "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"