Is there any rule that can be configured on GitHub that restricts who can force-push? The way it looks right now is that any rule opened on any branch automatically prevents force-pushes to anyone (including administrators). I want to allow force-pushes to specific users/groups (e.g., administrators).
As noted in Tomerfi's answer, since Dec. 2021:
Specify who can force push to a repository
Instead of allowing all or no users to force push, admins can now be selective about who can force push to a repository.
The image below shows how in the past, admins could use a branch protection rule to allow force pushes for everyone or no one, including admins:
Branch protection rule to allow everyone or no one to force push:
This all-or-nothing approach didn't support limiting force pushes to select users or teams of an admin's choosing.
For example, you might have wanted to allow only a few people to force push, or you had an automated process that solely needed to force push.
Now, you can be specific about the people and teams who are allowed to force push.
As shown in the image below, select Allow force pushes and Specify who can force push. Then, search for and select the people and teams who should be allowed to force push.
Branch protection rule to allow everyone, no one, or select users or teams to force push:
For more information, visit Managing a branch protection rule.
Original answer (2019):
You can't directly setup that on GitHub.
You can setup different repositories though:
one where you can force push
one where the branch is protected to everyone.
Then you can make PR (Pull Request) from one repository to another.
This is now actually supported on GitHub:
https://github.blog/changelog/2021-12-21-specify-who-can-force-push-to-a-repository/
Related
Various posts (including Github API - create branch?) give the API calls to make to create a new branch in a github repo, and can obviously be used in a script. I have a slightly different usecase though: I need to create a release branch (like release-1.2.3) when I already have a branch protection rule to cover release-*. The problem: without the branch protection rule, the linked method worked, while with it I get error:
422 Unprocessable Entity
The branch protection rule is fairly standard: requires a PR, requires a status check (I believe only applies to the PR?), "Restrict who can push to matching branches" and "Restrict pushes that create matching branches" are ticked and set to a group that contains all our main team, but includes the user who corresponds to the Jenkins job from where I am running this from.
My guess is that if I can use the new(ish) "bypass branch protections" and clear the "Do not allow bypassing the above settings" settings in the rule would work - can't actually try as yet because I don't have the rights to create the associated custom role but probably will. Alternatively creating the branch on a local repo and pushing it should work given the permissions (yet to try as more scripting but probably will). Question: has anybody got an easier way of doing this?
Since we have many repos in our account, we use Cross-Repository policies for default branch. However, a small number of repos needs a different policy.
Specifically, we have a group that are added as automatic reviewers:
We would like to remove this group and use another group for a limited number of repos.
Is there a way to do that?
Here is the user voice for overwriting branch policies directly for certain repositories. Maybe it will be implemented in the future, but currently there are no way to do it directly.
However there is another way to do it which is also mentioned in MS documentation. You can simply allow for certain teams to bypass some policies in repo settings:
Select repository settings
Select desired repository
Select the team you want to grant this privilege
Set up to Allow three marked fields
This does not solve op question for automatic reviewers, so this can also be worked arround by going to desired repository default branch and adding a different reviewer there. In this case it will be two reviewers, but when making a PR users could simply choose which reviewer they want
How to turn off Cross-Repository policies for default branch for
certain repos
I think is is impossible. So far, there is no such option to control which repos enable the setting and which do not under the policies.
As a workaround, you have to set the policies setting for each repo.
Besides, if this does not meet your requirement, you have to suggest a feature to the Team and they will handle your suggestion carefully.
New to GitHub, I have created a remote PRIVATE repository called X, and have a collaborator -person Y. Currently, person Y can simply accept the invitation to be a collaborator, and without forking the repo, simply make an edit, commit changes, and it appears on the master branch. This is obviously undesirable and it seems nonsensical that this is even allowed by default.
I would like person Y (collaborator) to:
-have to fork the repository and work only on the forked repo
-have to make changes ONLY via a pull request
-have to have a pull request, accepted/approved by me, before it is committed to master.
I looked through some answers, and tried:
-going to settings
-going to branches (on the left)
-changing access rights
I noticed however, that it required an upgrade.
I am certain I have heard/read that GitHub allowed full features for up to three collaborators.
Other similar questions on SO, have 0 answers.
I have also seen this option in settings:
"When merging pull requests, you can allow any combination of merge commits, squashing, or rebasing. At least one option must be enabled. If you have linear history requirement enabled on any protected branch, you must enable squashing or rebasing."
Allow merge commits
Add all commits from the head branch to the base branch with a merge commit.
It isn't clear to me what the above is referring to. If I checked that, would it stop all commits from collaborator's from being directly pushed to the master branch without authorisation?
Update:
I noticed some answers that suggested this (protecting a branch) cannot be done, but it is good practice to simply AGREE to always create a pull request. I require a pull request to be mandatory - if it is not enforced, an accidental push to master could obviously occur.
The question then is, what are workarounds for this (without having to pay).
Forking? How do you 'grant' access to another user to a PRIVATE repository. I could only see the option to share access by inviting as a collaborator.
There is this option which says: Default branch
The default branch is considered the “base” branch in your repository, against which all pull requests and code commits are automatically made, unless you specify a different branch.
In the above case, how would I go about creating a copy of the master branch, as it were, for collaborator's to work off of, so that the actual master branch is 'protected'?
The only other option I can think of is to create three levels.
One: Me: Project (with Master branch protected because I only grant access to -me 2)
Two. Me 2: I am granted collaborator access and I fork the project. (call it something else)
Three. I then grant collaborator access (if this is allowed) to the forked project, to someone else. This way, the collaborator can make changes to the forked project in Part 2, but not the original master project in Part 1.
Again, this all seems terribly long winded and unnecessary when all that is needed is for the master branch to be protected, only allowing pushes to master via pull requests which need to be authorised.
Any other options? Any advice or suggestions would be appreciated.
See title. Worst case, is there a way I can track the history of commit removals?
Like Tim Biegeleisen said, the best way to do this is to restrict push access to your repository, and only let people contribute to your repository through pull requests (which you can then monitor).
Add to Branch protection rules
Define branch protection rules to disable force pushing, prevent branches from being deleted, and optionally require status checks before merging. New to branch protection rules?
Going to your repo settings -> branches -> add rule
Configuring protected branches
Defining the mergeability of pull requests
I want to fork a github project to fix a couple of issues and then send a pull request.
The problem I'm running into is that I've already forked the project to adapt it for another user base.
Is it possible to create a second fork? If so, how?
When I try to fork now it just takes me to the previously created fork.
There is no way to have two forks of the same GitHub project unless you use two different GitHub accounts.
So:
Create a separate GitHub account (and verify the email)
Fork the
project
Invite your main GitHub account as a "Collaborator" (from
the settings)
You may need to add the extra step of creating an organization with the new GitHub account and inviting your main github account as an owner of the organization (also make sure your new fork is in that new organization). This will let you do things like deploy automatically to a Heroku app that is connected to your main GitHub account.
Why can't we just have multiple forks???
I mean that I could just commit and push without making a pull request, but I want to do it the offical way and I want somebody else to review the changes before I push to a public project.
GitHub pull requests do not need to be submitted from a fork; they work within a single repository as well:
Pull requests are especially useful in the fork & pull model because they provide a way to notify project maintainers about changes in your fork. However, they're also useful in the shared repository model where they're used to initiate code review and general discussion about a set of changes before being merged into a mainline branch.
There's nothing stopping you from creating a pull request even if you don't technically have to. This is often considered a best practice, and GitHub's own Flow model is largely based on pull requests.
Creating a pull request within a single repository is very similar to creating one from a fork:
Create a feature branch and push your work to that branch on GitHub
In the GitHub web UI, switch to your feature branch
Click the "Compare" & review button
The trick is not to use the master branch to create pull requests. Then you won't need to create multiple forks since you can make as many branches as you need and make pull requests against each branch independently.
Given a clean forked repo, create a dedicated branch and use that branch for the pull request.
You can create branches from the web UI (although it is not obvious).
Click the branch selection dropdown, type the new branch name in the input field, and then you'll see a clickable link Create branch: <new-branch-name> as shown below. The tricky UI part is that it might not be very obvious you should click the "create branch: xyz..." — it is NOT displayed as a button or as a hyperlink, and there is NO indication that this is a clickable link. Moreover, there is NO hint whatsoever that a branch can be created until you type in the search box — anyone would probably assume that the search box is used exclusively for searching branches, and not for creating them.
In case you already made changes directly in your fork's master branch then consider moving those changes into a dedicated branch and hard resetting the master branch to the original remote so that you keep it clean for synching with the upstream repo.
See also:
https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-and-deleting-branches-within-your-repository
The best way, recommended by github manual, is use command line git, mirror clone your repo and push it to your github.
https://docs.github.com/en/github/creating-cloning-and-archiving-repositories/duplicating-a-repository
If you strongly prefer GitHub web interface to the command line, a GUI friendly workaround is create a new organization and fork to that new organization.
Another GUI way I can think of is to declare a fork as a template repo using repo's setting so you can create as many forks as you need.