How to setup mandatory reviewers on github - github

This is what I know so far from my understanding of Github:
Github allows default reviewers whether it be for a specific type of file in any/certain location through the creation of the CODEOWNERS file.
Github allows the number of reviewers that are required to approve a PR. You can also specify what type of access they have.
Github allows required review from Code Owners
What I want to know is if there is a way to set up mandatory reviewers meaning that the PR can't get merged until certain people give their approval.
For example, I created a PR and I have reviewers A, B, C, D, E, and F. I want to make it so that this PR cannot get merged until reviewers A and B have approved it. I thought I could use the Require review from Code Owners but I think that it only requires at least one person to approve. The other idea that came to mind was just setting the required approval to the same number of people inside the code owners. Any help would be much appreciated.

I thought I could use the Require review from Code Owners but I think that it only requires at least one person to approve.
Your assumption is right. Currently, you can request multiple owners to review a PR, but only one of the reviews will be mandatory.
You can check the accepted answer in this GitHub Community discussion for more details.
As for the second part of your question,
setting the required approval to the same number of people inside the code owners
I believe that should do the trick. You may also want to follow the tip, described in the Approving a pull request with required reviews and ensure that code owners are the only persons with write permissions to the repo so that no other persons or groups will mess up the review process:
If your repository requires approving reviews from people with write or admin permissions, then any approvals from people with these permissions are denoted with a green check mark, and approvals from people without these permissions have a gray check mark. Approvals with a gray check mark do not affect whether the pull request can be merged.

Related

How to restrict author to not review the code

I am the author of the code and I am also part of code owners group list(one of the member).
If any possible way to stop reviewing my code by myself. Because I am the author and supposed to not review the code.
Any rules can i implement to stop doing review
First, you need to make sure that you have a branch protection rule defined for the branch the PR is going to be targeting.
Docs: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/managing-a-branch-protection-rule
Once there, you will need to make sure you have at least the following checked off:
Require a pull request before merging
Require approvals (defaults to 1)
Require review from Code Owners
Do not allow bypassing the above settings
The last setting is the key for this to work correctly. This will require all users to adhere to the rule. Without it, admins and owners of the repo will be allowed to bypass the rule. Some organizations allow for this to prevent emergency fixes from getting blocked by "red tape".

Azure DevOps pull request forbid manipulation of required reviewers

Is there anyway in Azure DevOps to forbid people from adding/removing required reviewers when creating a Pull Request?
I have set up the policy "Automatically included reviewers" with a bunch of required reviewers.
But still anyone who create a PR can easily add someone else in the required reviewer list or remove anybody from the automatically included required reviewer.
I want anyone to create a PR but not add/remove any required reviewer.
Apparently this is not possible, and they don't seem to consider it a bug. See this feedback item. I think it is ridiculous that they don't consider this a bug. When you set a branch policy stating: Pull requests to this branch van only be completed when these reviewers have reviewed it, only people having the permission Bypass policies when completing pull requests should be able to complete the pull request without adhering to the policies, which includes the required reviewers policy.
I've added a new feedback item to stress this. Feel free to update this feedback item, however history tells me they will either acknowledge the issue and never fix it, or still deny it is a bug.
We probably will we have to learn to live with this bug
If a required reviewer is added via Automatically included reviewers, the reviewer can't be removed:
For reviewers added manually or via the API there's no way to forbid it as far as I know.
The following feature requests implicitly confirms this:
https://developercommunity.visualstudio.com/t/Users-able-to-change-required-reviewer-t/1196519

Only allow users under a certain AD Group to approve Pull Requests on Azure DevOps

On my organisation we use Azure DevOps and we have a repository where we want developers to be able to create pull requests with changes to it, but only develpers belonging to certain AD group to be able to approve them. What's the best way to achieve this in Azure DevOps?
According to Microsoft Documentation there is a permission called "Contribute to pull requests " which allows "Can create, comment on, and vote on pull requests." However, disabling this would mean that people cannot create pull requests. I want them to be able to create the pull request, just not able to approve them and complete them.
However, disabling this would mean that people cannot create pull
requests. I want them to be able to create the pull request, just not
able to approve them and complete them.
If the Contribute is set to Deny, then the developer can review the code/create new branch/create PR/approve PR but can't push changes to master branch or branch not created by himself/complete PR. So this option can only partly meet your needs.
Apart from above, a most recommended way in this scenario is to use Branch Policies.
Since the original purpose is to avoid developers to complete the PR themselves, you can set both Require a minimum number of reviewers and Automatically Include reviewers options to meet your original needs:
So that all the PRs in master branch can't be completed until it gets enough approvals from specific Group. (The group you're in, Project Administrators or what) Then the developers can create the PR, but the PR can only be completed by approvals from you(Team admins/managers?).
You can choose one of the above two options or combine them together to meet your needs.
In addition: If all above still can't meet your requirements very well, feel free to post your feature request in our User Voice forum, the Product Team would consider about your feedback. Follow the feedback and you can get notifications if there's any update.
Hope all above helps :)

Restrict who can approve pull request

I'm just wondering if there is anyway to restrict who can approve pull requests, or who can be included in on a pull request.
I know you can provide a list of reviewees from a group, or setup auto reviewers... but specifically say people in role x, cannot hit approve or deny on a pull request.
but specifically say people in role x, cannot hit approve or deny on a pull request.
The most direct or best way to restrict approval requests is to add auto reviewers or groups.
If you want to assign this permission to the people in role X instead of adding reviewers or groups, I am afraid Azure devops does not provide a feature to meet this requirement at this moment.
Besides, if anyone in role x but not in the reviewers, the, he approve or rejects PR is not decisive for the final PR completion, it is like a comment:
So, suppose we have such a function, but it is still limited to reviewers.
Hope this helps.

On GitHub, what's the difference between reviewer and assignee?

A feature added on Dec, 7, 2016, announced on GitHub blog, introduced the option to add reviewers to a Pull Request
You can now request a review explicitly from collaborators, making it easier to specify who you'd like to review your pull request.
You can also see a list of people who you are awaiting review from in the pull request page sidebar, as well as the status of reviews from those who have already left them.
However, explicit setting a reviewer for a PR was already done by assigning people (assignees option).
With both options now available, what's the role of each option since they both share the same end goal?
EDIT:
After discussing with several OSS maintainers, reviewers is defined as what the word supposed to be: to review (someone's code) and "assignee" has a looser definiton explained below.
For "reviewer": someone you want to review the code. Not necessarily the person responsible for that area or responsible for merging the commit. Can be someone who worked on that chunk of code before, as GitHub auto-suggests.
For "assignee": up to the project's team/maintainer what it means and there's no strict definition. It can be the PR opener, or someone responsible for that area (who is going to accept the PR after the review is done or just close it). It's not up to GitHub to define what it is leaving it open for project maintainers what fits best for their project.
Previous answer:
Ok I'll go ahead and answer my own question.
For PR of users with write-access: the Assignee would be the same person who opened the PR, and reviewer would replace the old assignee function (reviewing code), being this one someone of assignee choice.
For PR of users without write-access (outside contributors): Someone with write-access would assign herself (or other write-priviledge member), to review the PR (Reviewer). Assignee is blank.
For unfinished PR from outside contributors: the write-access member would take the unfinished work and assign for her. She will be responsible for finishing the task, being the Assignee. Since the main reason of PRs is reviewing changes, she would select some other people to review the changes.
In GitHub a reviewer is a person who reviews the pull request. A project owner can request review from any of the maintainers, They can even set an option so that the pull request can be merged only if it is reviewed by one of the maintainer with write access.
According to official github documentation, Assignee is a person who is working on specific issues and pull requests. It is sometimes confused as a reviewer. It is actually meant to be used with issues rather than pull request so that when we receive a issue we can assign someone to fix it. In a pull request, an assignee refers to a person who's in charge of merging that pull request after getting comments and change requests from other maintainers.
As per accepted answer. Yes, "assignee" has a looser definition and can be used differently to suit a teams need.
In our team of 8 devs, in most PRs we have 1 reviewer, who suggests changes and ultimately approves the PR. During review phase, "assignee" is the person who opened the PR; later on if PR is picked up by other developer, a new "assignee" is added. Once PR is approved and ready for QA or direct merge, a new QA "assignee" is added. This way "assignee" list grows.
We use "assignee" to designate following people collectively:
Pull Request Author
Author working on PR change suggestions (usually same as 1)
QA person involved
Person responsible to merge (usually same as 2 or 3)
Using "assignee" helps locating the PR in future easily. One of my project has >3000 PRs.
is:open is:pr author:raya-dumas
is:closed is:pr assignee:raya-dumas
Or just author:raya-dumas to find all items author created (issues, PRs)
and other similar queries to ease the search process. "milestones" are quite helpful to use as well to ease PR search.
The biggest difference between "reviewers" and "assignees" is that reviewers actually have a tracked state according to GitHub -- did they review the PR yet or not?
When you add a reviewer, what it actually does is create a "review request":
The reviewer gets notified (like an "assignee" would) but now they actually have a task they can complete, which is to provide a "review" on a pull request:
After the reviewer leaves a review (approving or requesting changes), that information is tracked in the GitHub API and interface:
With assignees, you can associate people with a PR but beyond that GitHub doesn't really care what that means or what those people need to do. With reviewers, you can use new search queries, "protect" branches, assign reviewers with CODEOWNERS, and build deeper API integrations around review assignment and workflows manually or through tools like PullApprove.
Before GitHub only had an assignee field and no reviewer field. There was no distinction back then so the assignee field was most commonly used as a reviewer field.
But use them whatever way suits your project.
Another difference: the person who created the PR can assign himself/herself as the assignee, however cannot request himself/herself as one of the reviewers.