Branch Protection Filter Is Broken

I've authored a simple policy to delete old branches. I've set the protected: false condition.

resource_rules:
  branches:
    rules:
      - name: Delete Ancient Branches
        conditions:
          protected: false # only delete branches that are not protected
          date: # delete branches that have not been updated in 3 years
            attribute: committed_date
            condition: older_than
            interval_type: years
            interval: 3
        actions:
          delete: true
        limits:
          oldest: 100 # only consider the 100 oldest branches

I'm finding that the filter on protected does not work, and that the plan identifies protected branches for deletion. This behavior is the same whether the value is set true or false. If set to something silly like protected: bob, the tool still runs, and all branches are filtered.

If I wanted to move forward with this behavior, I would have to use a PAT with Developer access, to ensure that it cannot delete protected branches.

Have I missed something?

Edited Jul 23, 2024 by Walter Elder