I am looking for a way by GitHub setting or CircleCI settings preventing the person that is involved in PR (create PR or make a commit) to be able to merge PR (or even approve it).
So far I have the protection of a branch that requires approvals but post-approval I as PR creator and committer I still able to merge.
You need to be able to
prevent the person that is involved in PR (create PR or make a commit) to be able to merge PR (or even approve it)
A contributor who has created a PR cannot approve or request changes by default in GitHub, so that is already taken care of.
Since a Pull Request is a GitHub feature, a PR merge can currently only be blocked by 2 ways
Using GitHub's settings
Using pre-receive hooks (only for GitHub Enterprise)
Using GitHub's settings, you can only block merging by requiring either pull request reviews, status checks to pass, signed commits or linear history as shown under the branch protection settings.
or by allowing merge commits, squash merging or rebase merging as shown in the Merge button section under repo settings
If you are on GitHub Enterprise, you can use a pre-receive hook (documentation) like below and ensure that self merging PRs are blocked (This eg is here)
if [[ "$GITHUB_VIA" = *"merge"* ]] && [[ "$GITHUB_PULL_REQUEST_AUTHOR_LOGIN" = "$GITHUB_USER_LOGIN" ]]; then
echo "Blocking merging of your own pull request."
exit 1
fi
exit 0
Apart from the above, there is no other way currently to block self merging PRs on GitHub. And using CircleCI or any other CI workflow can only block merging for everybody(if you opt for the requirement of status checks on GitHub) or nobody, as it can't control the PR merge button.
Greeting! The short answer is no. Now the longer answer! GitHub supports enabling master branch protection. This can help you enforce all kinds of rules like:
All PRs must have a code review before being merged
The reviewers of the code need to be an admin
The reviewers of the code need to be in a CODEOWNERS file
A subset of status checks all need to pass
For all of these rules, the assumption is that once they've been satisfied, anyone with write access to the repository can merge the PR. I'm curious - in what situation do you want to prevent that?
Now onto the bad ideas. If this was super important - you could take the drastic step of ensuring no human is responsible for merging PRs :) You could add a codeowner that is mapped to a robot account, ensuring that robot account performs an approval before the PR can merge. To that end, you could write logic in a custom GitHub action that's triggered on PR events to determine if the PR should be merged, and auto-merge it if all appropriate conditions are met.
I'm curious - why is this something you wanna do?
I've built an Action to provide this; should work on GitHub.com, GHEC, and GHES: https://github.com/marketplace/actions/dismiss-code-reviews-from-collaborators
As always, Issues & PRs are welcomed: https://github.com/peckjon/reject-pr-approval-from-committer
Related
I am working on a repo where I am the owner and only author in it.
I want to have in my repo the same behavior as I would when working with a team that protects my branch from direct commits as they must go through a Pull Request. The reason for doing so is to protect from my own mistakes as I sometimes go back to main branch and accidentally push code to it. I want only code that passed through a Pull Request to be able to be merged to main branch.
In order to achieve such behavior I added the following rule to my main branch -
Which is almost what I need, expect that I am locked without the ability to approve my PR's as there is a message I get saying authors of the PR can't approve their PR's - a logical error nonetheless, but if I am working alone in the repo this is not what I am looking for.
How can I achieve what I am looking for?
Simply disable "Require approvals" (the second checkbox in your screenshot), you will still be required to create a PR.
You can merge your own PRs, the only thing you cannot do is to approve your own work (after all: why would you? Hopefully you deem your own changes good!)
I am trying to make a backup PR for my repo when there is new PR merged.
Is this possible to do it with GitHub actions?
Also, could it be a stand alone app/repo to manage other repos?
You would probably only create a revert PR only after the initial PR was merged, otherwise you could run into all kinds of issues.
This can definitely be implemented via GitHub Actions, by getting triggered by a PR merged trigger and checking the added commits in the initial PR and creating a revert for them back to whatever the base branch was before.
Still, GitHub is already able to do this natively with a click of a button in a PR, so I'm not sure what need this would fill.
See GitHub Docs: Reverting a pull request
I'm defining branch protection rules on GitHub, and I would like to know if is there any way to define a Pull Request flow like: qa --> main.
I know it's possible to require pull request before merging (on Require a pull request before merging flag under Branches > Branch protection rule), but I didn't find any option for defining this flow.
There's no way on GitHub to force a source branch to be fixed to a certain value, but you can solve this problem with a required CI check that fails if the PR to main has the wrong source branch. That's the usual way that people handle this sort of issue.
New to GitHub, I have created a remote PRIVATE repository called X, and have a collaborator -person Y. Currently, person Y can simply accept the invitation to be a collaborator, and without forking the repo, simply make an edit, commit changes, and it appears on the master branch. This is obviously undesirable and it seems nonsensical that this is even allowed by default.
I would like person Y (collaborator) to:
-have to fork the repository and work only on the forked repo
-have to make changes ONLY via a pull request
-have to have a pull request, accepted/approved by me, before it is committed to master.
I looked through some answers, and tried:
-going to settings
-going to branches (on the left)
-changing access rights
I noticed however, that it required an upgrade.
I am certain I have heard/read that GitHub allowed full features for up to three collaborators.
Other similar questions on SO, have 0 answers.
I have also seen this option in settings:
"When merging pull requests, you can allow any combination of merge commits, squashing, or rebasing. At least one option must be enabled. If you have linear history requirement enabled on any protected branch, you must enable squashing or rebasing."
Allow merge commits
Add all commits from the head branch to the base branch with a merge commit.
It isn't clear to me what the above is referring to. If I checked that, would it stop all commits from collaborator's from being directly pushed to the master branch without authorisation?
Update:
I noticed some answers that suggested this (protecting a branch) cannot be done, but it is good practice to simply AGREE to always create a pull request. I require a pull request to be mandatory - if it is not enforced, an accidental push to master could obviously occur.
The question then is, what are workarounds for this (without having to pay).
Forking? How do you 'grant' access to another user to a PRIVATE repository. I could only see the option to share access by inviting as a collaborator.
There is this option which says: Default branch
The default branch is considered the “base” branch in your repository, against which all pull requests and code commits are automatically made, unless you specify a different branch.
In the above case, how would I go about creating a copy of the master branch, as it were, for collaborator's to work off of, so that the actual master branch is 'protected'?
The only other option I can think of is to create three levels.
One: Me: Project (with Master branch protected because I only grant access to -me 2)
Two. Me 2: I am granted collaborator access and I fork the project. (call it something else)
Three. I then grant collaborator access (if this is allowed) to the forked project, to someone else. This way, the collaborator can make changes to the forked project in Part 2, but not the original master project in Part 1.
Again, this all seems terribly long winded and unnecessary when all that is needed is for the master branch to be protected, only allowing pushes to master via pull requests which need to be authorised.
Any other options? Any advice or suggestions would be appreciated.
As repo reviewer you’ll get PR, review the code (semantics) and Github will simply check about merge ability of the changes.
If a (remote) collaborator works on a outdated master branch will potentially have positive feedback from tests. But might have hidden semantics issues or might break tests when merged on the latest master commit (hopefully at CD's pipeline test phase and before going to prod).
Said so, I agree that it’s always up to the reviewers to ensure that the PR should not break.
But I’m also thinking, why not helping the reviewer by warning that you are currently merging changes starting from a branch that is behind X commits from master?
Does it make sense? Or maybe there’s already something (invisible to me) that might alert us inside a PR UI about it?
P.S. I understand that.... if the above is confirmed this is not going to be a real question but a feature request to Github... but I think it's worth questioning about this.
You can make the master branch protected and require that the branch in the PR be up to date before allowing a merge. The GitHub documentation describes how to do this.