Read Anthropic’s case study about Graphite Reviewer

How to set up branch protection rules in GitHub

Kenny DuMez
Kenny DuMez
Graphite software engineer


Note

This guide explains this concept in vanilla Git. For Graphite documentation, see our CLI docs.


Branch protection rules in GitHub are important for maintaining the integrity of critical branches, such as main or release. These rules help teams enforce code review policies, manage access, and automate workflows to ensure that changes meet quality standards before they are merged. This guide provides a step-by-step approach to setting up branch protection rules in GitHub.

Branch protection rules in GitHub are designed to prevent direct changes to important branches and ensure that all modifications go through a defined workflow. This feature helps teams:

  • Prevent errors and code conflicts on important branches.
  • Enforce code reviews before merging.
  • Automate testing and other checks that confirm changes are safe to deploy.

Here’s how to configure branch protection rules to secure your branches and streamline your development process:

  • Open your GitHub repository.
  • Click on the 'Settings' tab near the top of the repository page.
  • In the left sidebar under the repository settings, click on 'Branches'.
  • You will see a section labeled 'Branch protection rules'.
  • Click on 'Add rule' to create a new set of rules, or select an existing rule to edit.
  • Apply rule to: Enter the branch name pattern, such as main or release*, to which these rules will apply.
  • Branch name pattern: Use wildcard characters to apply rules to multiple branches if necessary.

Here are some common settings you might consider enabling:

  • Require pull request reviews before merging: Ensure that at least one other person reviews the code before it can be merged.
  • Require status checks to pass before merging: Set up required status checks such as continuous integration tests that must pass before merging.
  • Require signed commits: Require all commits to be signed with a GPG or S/MIME signature.
  • Include administrators: Apply these rules to everyone, including repository administrators.
  • Restrict who can push to matching branches: Specify which users or teams can push to the protected branch.
  • Review and approve changes: Ensure that only approved changes are merged into the protected branches.
  • Automate deployment pipelines: Utilize GitHub Actions or other CI/CD tools to automate builds, tests, and deployments based on successful merges to protected branches.
  • After configuring all the necessary settings, click 'Save changes' at the bottom of the page to enforce the branch protection rules.
  • Regularly review and update your branch protection settings: Keep your rules up-to-date with new development practices or team structures.
  • Educate your team on the importance of branch protection: Make sure all team members understand why these rules are in place and how to work with them.
  • Use branch protection as part of a comprehensive security and quality strategy: Combine branch protections with other practices such as code scanning and security reviews to maintain high standards.

Graphite Protections provide a flexible alternative to traditional GitHub branch protection rules. In order to configure Graphite protections:

Ensure your organization has the Graphite GitHub app installed. This setup allows Graphite to integrate seamlessly with your GitHub repositories.

Log into the Graphite web app and navigate to the Protections section where you can manage and create new protection rules.

Click on Create Protection to start defining your rules. You’ll use a visual editor that guides you through the process, making it user-friendly and straightforward.

You can set various requirements such as:

  • Required CI checks: Ensuring all necessary continuous integration tests pass.
  • Number of required approvals: Specifying how many approvals are needed and from which team members.
  • Required file approvers: Leveraging a CODEOWNERS-like feature but with more granularity.

Graphite allows setting conditions based on attributes like PR author, affected file paths, PR labels, etc., enabling targeted enforcement of rules tailored to specific needs of the project or team.

Graphite also supports overrides for specific scenarios, such as allowing bypass of certain checks when critical fixes need to be pushed or when the main approver is unavailable.

Once configured, activate these protections. Graphite will continuously monitor PRs against these rules and update their mergeability status in real-time.

Graphite allows detailed, condition-based protection settings that are not possible with GitHub’s more general branch protection rules. This is particularly useful in complex project environments like monorepos, where different sections of the codebase may have different requirements.

Graphite Protections can be dynamically adjusted based on the context of the PR, such as the specific files changed, the branch being merged into, or the identity of the contributor. This adaptability prevents the "one-size-fits-all" approach of traditional GitHub protection rules, which can be either too restrictive or too lenient.

While providing additional capabilities, Graphite Protections seamlessly integrate with existing GitHub setups, including branch protection rules and CODEOWNERS. This means teams can transition without disrupting their current workflows.

Graphite provides real-time feedback directly in the PR about what conditions are met or what’s still required for the PR to become mergeable. This ongoing assessment helps streamline the review and merge process, reducing delays and improving efficiency.

Graphite's ability to handle exceptions through overrides allows for flexibility in urgent situations without compromising the overall security and integrity of the development process. This feature is particularly useful in high-stakes environments where quick adaptability is crucial.

Graphite Protections represent a significant advancement in how protections are applied in modern software development, offering precision and flexibility that traditional GitHub branch protections cannot match.

For more info see the official Graphite Protections docs.

Graphite
Git stacked on GitHub

Stacked pull requests are easier to read, easier to write, and easier to manage.
Teams that stack ship better software, faster.

Or install our CLI.
Product Screenshot 1
Product Screenshot 2