When to use Graphite Protections over GitHub Branch Protection Rules and Rulesets
Compared to GitHub Branch Protection Rules and Rulesets, Graphite Protections are designed from the ground up to support fast development in monorepos while remaining compliant.
The biggest difference for dev tools and security teams is the ability to control merge requirements at the individual PR level instead of mandating blanket policies for entire code repositories.
Common use cases for Graphite Protections
Require at least 2 reviewers for high risk changes (e.g. to specific table schemas)
Allow product teams to approve changes to your marketing website without modifying
CODEOWNERSfiles. Or allow growth teams to merge their own PRs.Only allow the security team to approve security-related config changes
Define required passing CI based on directory in a monorepo to reduce blast radius for flaky tests, and to have teams own their own CI (e.g. frontend tests must pass for frontend changes).
Easily override PR merge requirements when an engineer is OOO.
How Graphite Protections works
Graphite continuously evaluates PRs in repos where you have Protections enabled. PRs become mergeable when they meet all their conditions to merge.
The pull request page in Graphite has native support for Protections, and will show the code author and reviewers the next steps required for the PR to be mergeable.
How Graphite Protections works for GitHub users
Orgs can use Graphite Protections regardless of their preference for GitHub or Graphite for code review.
Graphite users will see the mergeability requirements in the pull request side panel.
GitHub users looking at the same pull request will see a status check with the mergeability requirements that prevents them from merging until their PR meets these conditions.
Integrations with GitHub Branch Protection Rules, Rulesets, and CODEOWNERS
Graphite Protections integrate seamlessly with GitHub’s concepts of Branch Protection Rules, Rulesets, and CODEOWNERS. If you have both Graphite Protections and GitHub Branch Protection Rules / Rulesets enabled in a repo, Graphite will enforce both sets of requirements for PRs to merge.
This integration lets you gradually move your merge requirements to Graphite Protections.
Setting up Graphite Protections
Pre-requisites
Your org must have the Graphite GitHub app installed. You can verify this in your Graphite settings.
Creating your first Protection
Visit the Protections page in Graphite to start enforcing merge requirements with Graphite. The visual editor will guide you through creating your merge protections.
List of supported Protections
At launch, Graphite Protections supports three types of merge requirements:
Required CI checks
Number of required approvals
Required file approvers
You can configure these to apply on all PRs in a repo, or just PRs that match specific criteria. This is what lets you enforce merge requirements based on PR author, affected file paths, title, description, merge base branch, and labels.
Overriding Protections
You can optionally configure each Protection with an override. This is a set of conditions that make the individual Protection pass ✅ even if the merge requirements are not met ❌.
For example, you can configure a Protection with an override based on the oncall-override label. Or add an override for when the assigned reviewer is out of office.
