Retires a branch that is no longer actively maintained by:
- Updating
projects.json— removes the branch fromscheduledandjdkVersionsinconfig/projects.jsonin thespring-cloud-github-actionsrepository. Fails fast if the branch is set as the default, preventing accidental retirement of an active branch. - Removing Dependabot entries — removes every entry in the repository's
dependabot.ymlwhosetarget-branchmatches the retiring branch and commits the change to the default branch. If no entries remain after removal, thedependabot.ymlfile is deleted entirely. - Locking the branch — sets
lock_branch: trueon the branch via the GitHub Branch Protection API, preventing any further commits from being pushed. Existing protection rules (required checks, required reviews, etc.) are preserved; onlylock_branchis added/updated.
The token must have the following permissions on the target repository:
| Permission | Reason |
|---|---|
contents: write |
Commit the updated dependabot.yml to the default branch and update projects.json |
administration: write |
Set branch protection / lock the branch |
| Input | Required | Description |
|---|---|---|
repo |
yes | Repository in org/repo-name format |
branch |
yes | Branch to retire |
token |
no | Override token (falls back to GH_ACTIONS_REPO_TOKEN) |
| Input | Required | Description |
|---|---|---|
repo |
yes | Repository in org/repo-name format |
branch |
yes | Branch to retire |
| Secret | Required | Description |
|---|---|---|
token |
no | Falls back to GH_ACTIONS_REPO_TOKEN |
Run from the GitHub Actions UI by selecting Retire Branch, then supplying the repository and branch name.
jobs:
retire:
uses: spring-cloud/spring-cloud-github-actions/.github/workflows/retire-branch.yml@main
with:
repo: spring-cloud/spring-cloud-circuitbreaker-commercial
branch: 3.1.x
secrets: inheritClones spring-cloud-github-actions and runs the
retire-branch-projects-json
action to update config/projects.json:
- For
-commercialrepos → modifies thecommercialsection of the project entry. - For OSS repos → modifies the
osssection. - If the branch is listed in
branches.default→ fails the workflow before making any other changes. - If the branch is not found in
scheduledorjdkVersions→ logs a message and skips that operation.
The workflow clones the default branch of the target repository (that is
where dependabot.yml is read by GitHub) and uses yq to delete every
updates[] entry whose target-branch equals the retiring branch.
- If no
dependabot.yml/dependabot.yamlis found → logs a message and skips. - If no entries match the branch → logs a message and skips.
- If entries are removed and none remain → deletes the file.
- Changes are committed with the message:
Remove Dependabot entries for retired branch <branch>
Fetches the existing branch protection settings via the GitHub API, then
re-applies them with lock_branch: true set. If no protection rules exist,
a minimal rule (all other constraints null/false) with lock_branch: true is
created.
Once locked, the branch is visible in the repository with a lock icon and GitHub will reject any push attempts to it.
create-commercial-branch.yml— creates a new commercial branchcreate-hotfix-branch.yml— creates a hotfix branch from an OSS tag