I have a private Github repo which I want to make public, but:
I don't want people to be able to merge their PRs without my approval
I want to be able to merge my own PRs without anyone's approval
Is this possible and how ?
I couldn't find a combination of the above while looking at my repo's settings, unless I pay for a PRO account.
This may not be exact answer, but it should be similar for public repo. I have a private repo and paid account with one additional user license, so I can review and require approval of other user's PRs.
This is how I setup protection. repo -> Settings -> Branches (under code and automation) -> Branch protection rule -> enter a branch pattern (like release*) ..there are number of checkboxes and you want to pick whatever protection you need.
For eg. I picked:
Require a pull request before merging
-- Require approvals
However, found an interesting option which might be useful to you. So if you are administrator you should be able to bypass the protection but other non-admins cannot is what I am gathering
Do not allow bypassing the above settings
The above settings will apply to administrators and custom roles with the "bypass branch protections" permission.
Related
I currently use Github free. I have made a private repository and have added a few collaborators to it. Now, whenever they code, they make a PR for that. I want that only reviewed/approved PRs should be merged. I know that there are Github Branch Protection rules available for that but they are not available for private repositories with Github free. So I'm thinking to upgrade my Github to Github Pro. I want to ask if my collaborators also need to buy it? Like is it linked with the collaborators or with the repo or the account?
If I buy and add the rules, will it work for other collaborators too?
If the repository is on your account and not an organization, only you need the pro plan to set up rules. They will be active for all collaborators.
I have run into an issue where if my project managers are rushing, they sometimes will help move pull requests along by 'approving' them. As we have set the branch policy to require at least 2 approvals (and the creator cannot be one), this can be a bit of a frustration. I have moved the PMs into a new security group to isolate them from most options but I cannot find anything specific about Pull Requests. Does this just follow under the Contribute option or is there a specific way I can block them from being able to approve pull requests?
They have "Contribute to Pull Request" permissions, located under repo security settings. Remove that permission for the people you don't want to be approving PRs.
In Github, is it possible to disable the option for users to open pull requests and merge them by themselves?
So that every pull request HAS to be approved by another user.
I believe protected branches offer this.
Go to the repository settings.
Go to "branches"
Choose the target branch you want to protect.
Check "Protect this branch", then require reviews. You can also include repository administrators.
We have a practice in our company that people can't merge their own pull requests. PRs are only allowed to be merged by reviewers.
What can we do on GitHub to enforce this?
Is there some way which would disallow people to merge their own pull request or is there something which will be a good alternative for this policy?
This kind of policy is best managed in GitHub Organizations: it has a richer set of permissions.
You can define teams, and make the reviewer team the owner of the repo which accepts PR.
If you want the reviewer to not accept their own policy, then GitHub permissions wouldn't be enough, and you would need to put in place a listener able to alert you in that case (PR accepted by its author), using GitHub API PR Events.
I have one collaborator in my private github repository. After she sent me a pull request, she could actually go to the pull request screen and executed a merge i.e. she had the privilege to merge her changes into my branch.
Is there some kind of setting that I need to set in order to make sure only I can do the merge? And, I don't think this is because my repo is private, right?
Thanks.
From 'https://help.github.com/articles/defining-the-mergeability-of-pull-requests/':
You can require pull requests to pass a set of checks before they can be merged. For example, you can block pull requests that don't pass status checks. You can also require that pull requests have at least one approved review before they can be merged.
By default, any pull request can be merged at any time, unless the head branch is in conflict with the base branch. But as your project matures and stabilizes, you can choose to enforce restrictions on how a pull request is merged into your repository.
Protected branches ensure that collaborators on your repository cannot make irrevocable changes to branches. These branches can also be protected by requiring pull requests to have at least one approved review before they can be merged.
You could use a service like PullApprove or required code reviews to ensure that you have to give permission first.
The "Manage multiple clients" GitHub help page mentions:
This approach lets you retain control over the repos, but still gives your clients access to them.
In many cases it is the cheapest route overall, though you will be stuck paying the bill yourself (unless you bill it to the client).
To use this strategy, upgrade your personal or org account to a paid plan.
Now you can add private repos for the client directly to this account.
If the client wishes to access the repos directly, they can create a free personal account and you can add that user as a collaborator (if the repos are on your personal account) or to a team (if the repos are on an org account).
With an org account you can also give them admin access to the repo if you wish.
So if your project was part of an org account instead of a personal account, you could have the choice the the admin access for the users you add as collaborator.