github: Collaborators Can Merge Their Own Pull Requests - github

I have one collaborator in my private github repository. After she sent me a pull request, she could actually go to the pull request screen and executed a merge i.e. she had the privilege to merge her changes into my branch.
Is there some kind of setting that I need to set in order to make sure only I can do the merge? And, I don't think this is because my repo is private, right?
Thanks.

From 'https://help.github.com/articles/defining-the-mergeability-of-pull-requests/':
You can require pull requests to pass a set of checks before they can be merged. For example, you can block pull requests that don't pass status checks. You can also require that pull requests have at least one approved review before they can be merged.
By default, any pull request can be merged at any time, unless the head branch is in conflict with the base branch. But as your project matures and stabilizes, you can choose to enforce restrictions on how a pull request is merged into your repository.
Protected branches ensure that collaborators on your repository cannot make irrevocable changes to branches. These branches can also be protected by requiring pull requests to have at least one approved review before they can be merged.

You could use a service like PullApprove or required code reviews to ensure that you have to give permission first.

The "Manage multiple clients" GitHub help page mentions:
This approach lets you retain control over the repos, but still gives your clients access to them.
In many cases it is the cheapest route overall, though you will be stuck paying the bill yourself (unless you bill it to the client).
To use this strategy, upgrade your personal or org account to a paid plan.
Now you can add private repos for the client directly to this account.
If the client wishes to access the repos directly, they can create a free personal account and you can add that user as a collaborator (if the repos are on your personal account) or to a team (if the repos are on an org account).
With an org account you can also give them admin access to the repo if you wish.
So if your project was part of an org account instead of a personal account, you could have the choice the the admin access for the users you add as collaborator.

Related

Github: How can I require PRs to be approved by me, unless they are my own?

I have a private Github repo which I want to make public, but:
I don't want people to be able to merge their PRs without my approval
I want to be able to merge my own PRs without anyone's approval
Is this possible and how ?
I couldn't find a combination of the above while looking at my repo's settings, unless I pay for a PRO account.
This may not be exact answer, but it should be similar for public repo. I have a private repo and paid account with one additional user license, so I can review and require approval of other user's PRs.
This is how I setup protection. repo -> Settings -> Branches (under code and automation) -> Branch protection rule -> enter a branch pattern (like release*) ..there are number of checkboxes and you want to pick whatever protection you need.
For eg. I picked:
Require a pull request before merging
-- Require approvals
However, found an interesting option which might be useful to you. So if you are administrator you should be able to bypass the protection but other non-admins cannot is what I am gathering
Do not allow bypassing the above settings
The above settings will apply to administrators and custom roles with the "bypass branch protections" permission.

How do you restrict contributors from Pushing to a private repository without a Fork?

Is there a way for me to invite a contributor, allow him to fork from my project and submit a Pull Request, without being able to commit and Push directly into the repository ?
I am new to this, I'm doing some testing and it seems that it should be an easy way to accomplish this, but I cannot find it. I have two accounts and it seems that I can just delete and modify anything in the repository, from the collaborator (guest) account, with no restrictions and moderation from the owner account.

Prevent User from approving Pull Request

I have run into an issue where if my project managers are rushing, they sometimes will help move pull requests along by 'approving' them. As we have set the branch policy to require at least 2 approvals (and the creator cannot be one), this can be a bit of a frustration. I have moved the PMs into a new security group to isolate them from most options but I cannot find anything specific about Pull Requests. Does this just follow under the Contribute option or is there a specific way I can block them from being able to approve pull requests?
They have "Contribute to Pull Request" permissions, located under repo security settings. Remove that permission for the people you don't want to be approving PRs.

Disabling self pull request merge on github

In Github, is it possible to disable the option for users to open pull requests and merge them by themselves?
So that every pull request HAS to be approved by another user.
I believe protected branches offer this.
Go to the repository settings.
Go to "branches"
Choose the target branch you want to protect.
Check "Protect this branch", then require reviews. You can also include repository administrators.

How to create a repository where each change requires the agreement of both partners?

Two partners are building a software project. They want that each change made by one partner must be approved by the other partner.
If one of them opens a GitHub repository and makes the other one a collaborator, then both of them can change the repository without consent from the other partner. They can also ask for consent by doing the change in a branch and then doing a pull-request on the branch, but the system does not force them to do it, so they might forget.
If one of them opens a GitHub repository and does NOT make the other partner a collaborator, then the second partner must make a pull request for each change, but the first partner can still make changes without the other partner reviewing them.
Is it possible to create a repository such that, each change by one of the partners only becomes public after the other partner approves it?
I don't think such feature exists yet in Github AFAIK. But I think something like this works.
Create another account either a dummy or a bot account
Create repository from the dummy/bot account
Since you both are not collaborators, you need to fork the repository and issue pull requests no matter what.
There is a minor correction to what you said though
If one of them opens a GitHub repository and does not make the other partner a collaborator, then the second partner must make a pull request for each change, but the first partner can still make changes without the other partner reviewing them.
If you make your partner a collaborator then he too can push code to master without a pull request.
PS: Honestly, I don't think this question is supposed to be on StackOverflow.