I have a public github repo and want to disallow other users to merge into the master branch. They should only be able to create other branches and create pull request. I'm the only one who accept and merge pull requests.
Is this possible with GitHub and if yes, how can I set this up?
Kind regards
By design, all public repositories are read-only when you create them. If you're a member of an organization, you can provide default permissions to do otherwise.
Long and short of it, GitHub does what you wish it to by design.
Related
I have a protected github repository, where I want a user that was already allowed 'read' access to also be able to merge PR's, so I gave him the 'write' role. According to the github docs that should be enough. Still he is not able to merge, and he sees a warning about not having write access. Am I missing something?
As far as I know, when the private repo is yours and someone else opens a pull request to it, you as the owner have to merge the pull request in the respective branch.
We are setting up a open source project which we would like to allow freelancers to develop alongside us without damaging anything.
In general can the collaborators make changes to repositories without admins being able to check the changes over before code is merged into master.
What is the best method to use to prevent the repository from user damage whilst working with a large number of public freelance developers / users?
What you can do is you can give them read-only permission. They can fork to their own account and start working on that code. Then after finishing a feature they can create a pull request to merge it back to the main repo.
For a Personal account on Github, there are two types of 'roles' - Owner and Collaborator.
For a full list of who can do what - see here:
https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-personal-account-settings/permission-levels-for-a-personal-account-repository
To answer your question - "No - A collaborator cannot delete a repository"
In Github, is it possible to disable the option for users to open pull requests and merge them by themselves?
So that every pull request HAS to be approved by another user.
I believe protected branches offer this.
Go to the repository settings.
Go to "branches"
Choose the target branch you want to protect.
Check "Protect this branch", then require reviews. You can also include repository administrators.
We have a practice in our company that people can't merge their own pull requests. PRs are only allowed to be merged by reviewers.
What can we do on GitHub to enforce this?
Is there some way which would disallow people to merge their own pull request or is there something which will be a good alternative for this policy?
This kind of policy is best managed in GitHub Organizations: it has a richer set of permissions.
You can define teams, and make the reviewer team the owner of the repo which accepts PR.
If you want the reviewer to not accept their own policy, then GitHub permissions wouldn't be enough, and you would need to put in place a listener able to alert you in that case (PR accepted by its author), using GitHub API PR Events.
I have one collaborator in my private github repository. After she sent me a pull request, she could actually go to the pull request screen and executed a merge i.e. she had the privilege to merge her changes into my branch.
Is there some kind of setting that I need to set in order to make sure only I can do the merge? And, I don't think this is because my repo is private, right?
Thanks.
From 'https://help.github.com/articles/defining-the-mergeability-of-pull-requests/':
You can require pull requests to pass a set of checks before they can be merged. For example, you can block pull requests that don't pass status checks. You can also require that pull requests have at least one approved review before they can be merged.
By default, any pull request can be merged at any time, unless the head branch is in conflict with the base branch. But as your project matures and stabilizes, you can choose to enforce restrictions on how a pull request is merged into your repository.
Protected branches ensure that collaborators on your repository cannot make irrevocable changes to branches. These branches can also be protected by requiring pull requests to have at least one approved review before they can be merged.
You could use a service like PullApprove or required code reviews to ensure that you have to give permission first.
The "Manage multiple clients" GitHub help page mentions:
This approach lets you retain control over the repos, but still gives your clients access to them.
In many cases it is the cheapest route overall, though you will be stuck paying the bill yourself (unless you bill it to the client).
To use this strategy, upgrade your personal or org account to a paid plan.
Now you can add private repos for the client directly to this account.
If the client wishes to access the repos directly, they can create a free personal account and you can add that user as a collaborator (if the repos are on your personal account) or to a team (if the repos are on an org account).
With an org account you can also give them admin access to the repo if you wish.
So if your project was part of an org account instead of a personal account, you could have the choice the the admin access for the users you add as collaborator.