GitHub branch protection rules allow teams to enforce specific access controls in their repos. These rules help maintain the integrity and security of the codebase by preventing unauthorized changes and ensuring certain conditions are met before changes are merged. This guide will explain how to apply branch protection rules, manage multiple branches, and utilize the GitHub API for branch protection.
Understanding branch protection rules
Branch protection rules are settings that enforce certain standards and workflows for a repository. Common use cases include:
- Requiring pull request reviews before merging.
- Requiring status checks to pass before merging.
- Restricting who can push to protected branches.
Setting up branch protection rules
To apply branch protection rules in GitHub, follow these steps:
- Go to your repository on GitHub.
- Click on "Settings" and then "Branches" in the left sidebar.
- Under "Branch protection rules", click "Add rule".
- Enter the branch name pattern for which the rules should apply. This can be a specific branch like
mainor a pattern that matches multiple branches such asrelease-*. - Configure the protection settings according to your needs:
- Require pull request reviews before merging.
- Require status checks to pass before merging.
- Add restrictions for who can push to the branch.
- Enable other options as required.
Example: Applying rules to multiple branches
When dealing with multiple branches, such as feature or release branches, you might want to apply consistent protection rules. Use wildcards like feature-* or release-* to ensure that any new branches created with these prefixes automatically inherit the protection rules.
Automating branch protection with the GitHub API
For larger teams or projects, manually updating branch protection settings for multiple branches might be impractical. Automating this process through the GitHub API can help streamline these updates.
Using the GitHub API to set branch protection rules
Here’s how you can use the GitHub API to automate setting branch protection rules:
curl -X PUT -H "Authorization: token YOUR_GITHUB_TOKEN" \-H "Accept: application/vnd.github.v3+json" \"https://api.github.com/repos/USERNAME/REPOSITORY/branches/BRANCH/protection" \-d '{"required_status_checks": {"strict": true,"contexts": ["continuous-integration/travis-ci"]},"enforce_admins": null,"required_pull_request_reviews": {"required_approving_review_count": 1},"restrictions": null}'
This script uses the curl command to make an HTTP PUT request to the GitHub API to set branch protection rules on a specific branch within a repository:
Command and headers:
curl -X PUT: This initiates acurlcommand to send a PUT request, which is used to update or replace a resource. Here, it's used to set or change the branch protection rules.-H "Authorization: token YOUR_GITHUB_TOKEN": This header sends your GitHub authentication token to ensure that the request is authorized. You must replaceYOUR_GITHUB_TOKENwith your actual personal access token.-H "Accept: application/vnd.github.v3+json": This header tells the GitHub API that the client expects a response in JSON format and specifies version 3 of the API.
API URL:
"https://api.github.com/repos/USERNAME/REPOSITORY/branches/BRANCH/protection": This is the URL where the API request is sent. ReplaceUSERNAME,REPOSITORY, andBRANCHwith your GitHub username, the repository name, and the branch name you want to protect.
Data payload (
-d):- The data payload defines the protection rules you want to apply to the branch. It is formatted in JSON and includes the following settings:
"required_status_checks": {"strict": true, "contexts": ["continuous-integration/travis-ci"]}: This setting requires status checks to pass before merging. Thestrictoption ensures that the PR is up to date with the base branch before merging. Thecontextsarray specifies which status checks must pass, in this case, "continuous-integration/travis-ci"."enforce_admins": null: When set totrue, this enforces all configured restrictions for administrators as well. Here, it's set tonull, indicating no special rules for admins."required_pull_request_reviews": {"required_approving_review_count": 1}: This requires at least one approving review on a pull request before merging."restrictions": null: This would restrict who can push to the branch. Setting it tonullmeans there are no user or team restrictions; however, this field can be configured to specify allowed users or teams.
- The data payload defines the protection rules you want to apply to the branch. It is formatted in JSON and includes the following settings:
By executing this command in the terminal, you send these settings to GitHub, which then applies the specified protection rules to the branch. This is particularly useful for automating the setup of repositories and ensuring consistent branch protection settings across multiple projects.
Best practices for using branch protection rules
- Use consistent rules across similar branches to maintain a uniform workflow.
- Regularly review and adjust your branch protection settings as your team and project evolve.
- Combine branch protection with other GitHub features like GitHub Actions for CI/CD to maximize your workflow efficiency and security.
By effectively implementing GitHub branch protection rules, you ensure that your project's main branches are safeguarded against erroneous or malicious changes, thereby supporting a stable and controlled development process. Whether through the GitHub UI or the API, managing these settings plays a critical role in maintaining the quality and integrity of your software projects.
See the official GitHub documentation for further reading on branch protection rules.
