Id like to configure my branch protection rules as code, perhaps even more GitHub Settings, is there any way to do so.
Related
Is it possible to enable branch protection rules at the organisation level in Github so that all repositories that are part of that organisation inherit these rules for the applied branches. Right now it's really a hassle to enable those same set of rules on a per repo basis for same set of branches. Please help on how we can achieve this
Right now it's really a hassle to enable those same set of rules on a per repo basis for same set of branches.
There is no organization level default option to set a branch protection for all repositories in an org.
If this is something you don't want to repetitively do by hand, you can take a look at the GitHub API for Branch Protection. That way you can run a short script whenever you setup a new repo or have a job run periodically that sets and confirms the branch protection for all repos in the org at once.
User from a group like Build Administrator can access the project from Azure Devops. I need to control the user in that group to upload the file directly to the master branch. The user can manually upload files to all branches except Master. Because my master branch is based on Pull request. How can I implement this? Does it need any permission?
There are a few critical branches in your repo that the team relies on always being in good shape, such as your master branch. Require pull requests to make any changes on these branches. Developers pushing changes directly to the protected branches will have their pushes rejected. Thus, following this doc: Improve code quality with branch policies to protect your master branch.
In addition, be reference to this doc: Allow bypassing branch policies without giving up push protection, please note that these 2 permissions(Bypass policies when completing pull requests and Bypass policies when pushing) shouldn’t be granted to your mentioned Build Administrator group for master branch. See: Set branch permissions for details.
As soon as you enable any policy on your default branch changes must be made via pull request.
From the branch policy dialogue
Branch Policies: Note: If any required policy is enabled, this branch cannot be deleted and changes must be made via pull request.
So to disable direct commits follow these steps:
Navigate to project settings (cogwheel)
Repositories > select your repo
Navigate to Policies
In the Branch Policies section select your default branch
Enable any policies that make sense to your use case. Require a minimum number of reviewers might be a good starting point.
Just to understand,
You want to allow your user to store their files on the master branch ? Which tool are they using to upload ? Visual Studio or just drag & drop ?
Anyway you can have some settings on the azure devops by going on
Azure Devops ---> Your Repository --> Branches --> Select the branch you want to modify and click on the 3 dots (...) --> Select Branch Policies
I want to set up a proper workflow on GitHub where junior engineers submit pull request for code review and only the lead engineer can commit to the master branch.
I'm looking for input from professionals that work in a commercial software environment. I've found the page that does the permissions easy enough. There are several options. Restrict who can push to matching branches of course. Should I check others as well?
The other approach, beside the branch permission within one repo, is the gate repo:
you are setting up a public repo where developers can commit (on master or topic branches)
you are using a private, or repo within an organisation, from which you can pull
That way, you or your organisation team control the contribution you chose to include in the master of that main repository.
It seems to me that you can only see the vulnerable dependencies on the master branch. I fixed those mentioned in the alert on a separate branch and want to check if in fact the vulnerable dependencies are fixed, so what I really need is to be able to check the alert for the specific branch, can this be done?
I had this same issue.
The problem with GitHub's Security Alert feature is that it will always scans the default branch of a repository. This is normally the master branch. Therefore, any changes to resolve security issues made to other branches will not be recognised by GitHub.
The workaround.
You can change the default branch to be any branch in your repository! Including the one you have done the work to resolve the security issues.
On GitHub, navigate to the main page of the repository.
Under your repository name, click Settings.
In the left menu, click Branches.
Choose the new default branch.
Once you have changed the default branch to the branch you have done the resolving work on, GitHub's Security Alert feature will start to scan that branch.
And you should see the security alerts that you have resolved disappear.
Afterwards you can change the default branch back to the master branch and only change it when you are specifically working on resolving security vulnerabilities.
The security alerts for vulnerable dependencies reported by GitHub might be valid only for the default branch (usually master, but you can change it).
If you are not ready to merge your fix to the default branch of your repo, one workaround would be to push that branch to the default (again, usually master) branch of a new dedicated (and temporary) repository, just to check if any new alerts are detected on that new repo.
Update Oct. 2020, 2+ years later: Michael Greisman points out in the comments to this GitHub Community answer and the documentation "About alerts for vulnerable dependencies".
It confirms that the scan is done against the default branch.
"Once the fix... is merged into the default branch... GitHub will schedule a new scan of your project’s dependencies".
As a GitHub administrator, I would like to lock a particular branch in GitHub for all users.
For e.g. if I do not want anyone to push to Master/Production or a Project branch, how can I do that.
Instead of using any client side hooks, is there a way to lock a branch on GitHub server directly ? Are there any third party tools/api's/scripts which can help achieve this ?
#Saurabh, I have done a similar thing according to your requirement on GitHub:
Navigate to Settings
Navigate to Branches
Tap on Add Rule near "Branch protection rules"
Tick the Require pull request reviews before merging checkbox
These steps apply a lock on, for example to master, so that no collaborators can push code to this branch. Code only be merged using pull requests.
Link to documentation
Screenshots:
Note: Protected branches are available to Pro, Team, and Enterprise users
The easiest solution is to have that branch in its own repo (for which no collaborators) are declared.
Otherwise, GitHub doesn't provide any native "branch protection" feature, as mentioned in "How to protect “master” in github?"
You could setup a webhook which on a push event can refuse the push if the branch has a given name.
An example would be terite/pull-to-master which protects master:
if (json.ref != 'refs/heads/master')
return cb([200, 'Skipping, not master']);
This is not a client-side hook, but it does require a client to listen to the JSON payload of the push event in order to react to it.
Since Oct. 2022, there is a simpler option:
New Branch Protections: Last Pusher and Locked Branch (Oct. 2022)
Push protection enabled.
This allows for branches to be locked, prohibiting changes.
You can lock a branch allowing you to have a maintenance window and prevent changes, or to protect a fork so it only receives changes from its upstream repository.
To use this feature in a branch protection rule, enable Lock branch.
For more information, read About protected branches in the GitHub documentation.
We appreciate feedback on this and other topics in GitHub's public feedback discussions.