See title. Worst case, is there a way I can track the history of commit removals?
Like Tim Biegeleisen said, the best way to do this is to restrict push access to your repository, and only let people contribute to your repository through pull requests (which you can then monitor).
Add to Branch protection rules
Define branch protection rules to disable force pushing, prevent branches from being deleted, and optionally require status checks before merging. New to branch protection rules?
Going to your repo settings -> branches -> add rule
Configuring protected branches
Defining the mergeability of pull requests
Related
we had an incident one of our devs merged into master branch directly which shouldn't have happened.
We use "feature" branch that goes in "rc" branch directly - which will be QA'ed then merged into "master" after deployment.
I'd like to see if there is a way to restrict only "rc" branches can be merged into master and reject all other push.
Since we are using private repo, branch protection via github setting might not work, so I was looking into pre push hook, but will above scenario be possible?
Thank you.
looked into github setting -> branch protection : it wasn't available for private repo
looked into usage for pre push hook.. wasn't able to find good example for our usage so far.
According to the GitHub docs, you'll need at least GitHub Pro to create branch protection rules with a private repo.
There are other ways to do it, but based on how much time they'll take and what a pain they'll be to deal with, $4/month for pro is almost certainly the easiest way IMO.
I'm defining branch protection rules on GitHub, and I would like to know if is there any way to define a Pull Request flow like: qa --> main.
I know it's possible to require pull request before merging (on Require a pull request before merging flag under Branches > Branch protection rule), but I didn't find any option for defining this flow.
There's no way on GitHub to force a source branch to be fixed to a certain value, but you can solve this problem with a required CI check that fails if the PR to main has the wrong source branch. That's the usual way that people handle this sort of issue.
I have branch protection rule in place in Github which matches all branches so none can be deleted. I want to change that to a case where the person who created the branch should be able to delete it. So, I can delete my branch but not of someone else's and vice versa
Is there a way to do that?
No, there is no way to add security on individual things in most things GitHub. In general, there is a revert option for these actions, since the commits these branches pointed to will never really go away anyway.
You can add a Branch Protection to a branch to prevent accidental deletions, but you can't auto-restrict the allow deletions of those branches to the person who originally pushed that branch:
New to GitHub, I have created a remote PRIVATE repository called X, and have a collaborator -person Y. Currently, person Y can simply accept the invitation to be a collaborator, and without forking the repo, simply make an edit, commit changes, and it appears on the master branch. This is obviously undesirable and it seems nonsensical that this is even allowed by default.
I would like person Y (collaborator) to:
-have to fork the repository and work only on the forked repo
-have to make changes ONLY via a pull request
-have to have a pull request, accepted/approved by me, before it is committed to master.
I looked through some answers, and tried:
-going to settings
-going to branches (on the left)
-changing access rights
I noticed however, that it required an upgrade.
I am certain I have heard/read that GitHub allowed full features for up to three collaborators.
Other similar questions on SO, have 0 answers.
I have also seen this option in settings:
"When merging pull requests, you can allow any combination of merge commits, squashing, or rebasing. At least one option must be enabled. If you have linear history requirement enabled on any protected branch, you must enable squashing or rebasing."
Allow merge commits
Add all commits from the head branch to the base branch with a merge commit.
It isn't clear to me what the above is referring to. If I checked that, would it stop all commits from collaborator's from being directly pushed to the master branch without authorisation?
Update:
I noticed some answers that suggested this (protecting a branch) cannot be done, but it is good practice to simply AGREE to always create a pull request. I require a pull request to be mandatory - if it is not enforced, an accidental push to master could obviously occur.
The question then is, what are workarounds for this (without having to pay).
Forking? How do you 'grant' access to another user to a PRIVATE repository. I could only see the option to share access by inviting as a collaborator.
There is this option which says: Default branch
The default branch is considered the “base” branch in your repository, against which all pull requests and code commits are automatically made, unless you specify a different branch.
In the above case, how would I go about creating a copy of the master branch, as it were, for collaborator's to work off of, so that the actual master branch is 'protected'?
The only other option I can think of is to create three levels.
One: Me: Project (with Master branch protected because I only grant access to -me 2)
Two. Me 2: I am granted collaborator access and I fork the project. (call it something else)
Three. I then grant collaborator access (if this is allowed) to the forked project, to someone else. This way, the collaborator can make changes to the forked project in Part 2, but not the original master project in Part 1.
Again, this all seems terribly long winded and unnecessary when all that is needed is for the master branch to be protected, only allowing pushes to master via pull requests which need to be authorised.
Any other options? Any advice or suggestions would be appreciated.
Do we have any way to Gate-Keep our organisation's GitHub Commits? I want to ensure none of our developer's GitHub commits to public repository is exposing any specific strings/Keys.
So a Gatekeeper scripts which parses through the Commits made by our developers and forbids a commit in case it exposes a particular string. I am aware Private repository is the obvious solution but we should have restriction on public repository
too.
You might consider putting in place a GitHub Action workflow, similar to this repository in order to scan the content of a pushed commit (using one of the security scanners).
And, as an action, you could reset the branch to the previous commit, effectively cancelling what has just been pushed.
If the action does not detect any sensitive data, you can in turn push the commit to a protected branch, which acts as the blessed content from which developers can pull.