How to require pull request reviews before merging

Kenny DuMez
Kenny DuMez
Graphite software engineer


Note

This guide explains this concept in vanilla Git. For Graphite documentation, see our CLI docs.


Requiring pull request (PR) reviews before merging is an important component of maintaining high code quality in collaborative software development projects. This guide explains how to set up and enforce mandatory PR reviews using GitHub's branch protection rules, ensuring that all code is reviewed and approved before it is integrated into the main codebase.

The PR review process involves examining proposed changes to a codebase before they are merged into the mainline development branch. This process helps catch bugs, ensures consistency, and improves the overall quality of the code.

Enforcing PR reviews ensures that all code is vetted for quality and functionality. It promotes a culture of collaboration and continuous improvement, helping teams catch errors early and share knowledge about the codebase.

To require PR reviews in GitHub, you can use branch protection rules:

Navigate to your GitHub repository, click on 'Settings', then select 'Branches' in the sidebar.

Click on 'Add rule' in the 'Branch protection rules' section. Enter the branch name pattern for which you want to enforce these rules, typically main.

In the branch protection rules, find the 'Require pull request reviews before merging' option and check it. This setting requires that one or more specific approvals are made before merging changes.

You can also set:

  • Required reviewers: Specify the number of required review approvals.
  • Code owner reviews: If you use a CODEOWNERS file, you can require review from code owners.
  • Dismiss stale reviews: Automatically dismiss approved reviews when new commits are pushed.

After configuring the settings, click 'Save changes' to enforce the new branch protection rules.

With mandatory reviews set up, the PR review workflow looks like this:

  • Creating a pull request: Developers push their branches and create a PR against the protected branch.
  • Reviewing the PR: Team members review the changes, discuss improvements, and either approve or request changes.
  • Applying feedback: The PR author makes any necessary adjustments based on feedback.
  • Final approval and merge: Once all required approvals are obtained, the PR can be merged into the main branch.

Requiring approvals ensures that merging is based on consensus and quality assurance. This method prevents unreviewed code from being incorporated into the main codebase, helping to reduce bugs and other integration issues.

GitHub’s repository protection settings provide a toolkit for enforcing code quality:

  • Merge checks: Ensure that all checks, like continuous integration tests, pass before merging.
  • Restrict who can push to protected branches: Limit who can make changes directly to protected branches, enforcing the review process and preventing accidentally pushing code directly to production.

Graphite Protections offers a more flexible and fine-grained approach to enforcing PR reviews, providing functionality beyond GitHub's branch protection rules, especially for complex or large-scale projects like monorepos. Here’s how to set up mandatory PR reviews using Graphite Protections:

  • Log into the Graphite web app and navigate to the Protections page where you can manage and create new Protections.
  • Click on Create Protection to start setting up your rules.
  • You can set various types of merge requirements such as:
    • Required CI checks: Ensure that all necessary continuous integration tests pass before a PR can be merged.
    • Number of required approvals: Specify how many approvals are needed and from which team members, before a PR can merge.
    • Required file approvers: You can also specify that changes to certain paths require approval from specific users or teams.
  • Graphite allows setting conditions based on the PR's attributes like author, affected file paths, PR labels, etc. This enables more targeted enforcement of rules. For example, infrastructural changes might require approvals from both security and infrastructure teams.
  • Optionally, you can set overrides for specific scenarios, like allowing bypass of certain checks when a critical fix needs to be pushed or when the main approver is unavailable.
  • After setting up the rules, activate them. Graphite will continuously evaluate open PRs against these rules and update their mergeability status in real time.
  • In Graphite, each PR will show what requirements are still needed for it to become mergeable, providing transparency to all stakeholders.
  • Flexibility: Graphite's Protections can handle complex requirements and multiple conditions, making them ideal for dynamic and large teams.
  • Integration: Works seamlessly with GitHub, providing status checks that integrate with existing GitHub workflows.
  • Real-time updates: Graphite monitors changes in PRs in real-time and updates the mergeability status to ensure that all conditions are met before merging.

This setup not only ensures compliance with development best practices but also adapts to the specific needs of different teams within an organization, all while maintaining a high standard of code quality and security.

For further reading see the official Graphite Protections docs.

Graphite
Git stacked on GitHub

Stacked pull requests are easier to read, easier to write, and easier to manage.
Teams that stack ship better software, faster.

Or install our CLI.
Product Screenshot 1
Product Screenshot 2