Managing merge permissions and protected branches in GitHub

Sara Verdi
Sara Verdi
Graphite software engineer


Note

This guide explains this concept in vanilla Git. For Graphite documentation, see our CLI docs.


Managing merge permissions and protected branches in GitHub helps ensure that only authorized individuals can make significant changes to your codebase. This guide explores how to restrict who can merge pull requests, configure protected branches, and implement GitHub pull request merge restrictions effectively. We will also discuss the integration of Graphite Protections to enhance your repository’s security.

Merge permissions in GitHub control who can merge pull requests into specific branches. Protected branches are a feature that prevents certain actions on branches, such as merging, without meeting specific criteria. By configuring these features, teams can enforce workflows and maintain code integrity.

  • Code quality: Ensures only reviewed and approved code is merged.
  • Security: Limits access to sensitive branches, reducing the risk of unauthorized changes.
  • Collaboration: Establishes clear workflows that enhance team collaboration and accountability.

Protected branches can be set up to enforce restrictions on who can push to or merge changes into a branch. This is typically done for branches like main or develop, where stable code resides.

  1. Navigate to your repository: Go to your GitHub repository.

  2. Access settings: Click on the "Settings" tab in your repository.

  3. Branches settings: In the left sidebar, select "Branches."

  4. Add a branch protection rule: Click on "Add rule" under the "Branch protection rules" section.

  5. Define the rule:

    • Branch name pattern: Specify the branch (e.g., main).
    • Require pull request reviews before merging: Check this option to ensure that a pull request is reviewed before merging.
    • Require status checks to pass before merging: Select this to require that CI/CD checks (like tests) must pass before a pull request can be merged.
    • Restrict who can push to matching branches: This option allows you to limit who can push directly to the branch.
  6. Save changes: Click "Create" or "Save changes" to apply the rule.

Assume you want to protect the main branch so that only specific team members can merge pull requests and require at least one approval before merging.

  1. Navigate to the repository settings and go to "Branches."
  2. Add a branch protection rule for the main branch.
  3. Enable "Require pull request reviews before merging" and set "Require at least 1 approval."
  4. Enable "Restrict who can push to matching branches" and select the team members allowed to merge.

GitHub also provides options to restrict merging based on role or individual. This can prevent unauthorized changes to critical branches.

  1. Pull request reviews: As mentioned earlier, requiring reviews ensures that no one can merge a pull request without approval. This can be set up in the protected branch settings.

  2. Restricting merge permissions:

    • Team-based restrictions: You can limit merge access to specific teams within your organization. For instance, only members of the "Code Reviewers" team can merge to the main branch.
    • Individual user restrictions: If you need finer control, you can specify individual GitHub usernames who are allowed to merge.

If you have a team called "Developers" and want to ensure that only members of this team can merge into the release branch:

  1. In the branch protection settings, enable "Restrict who can push to matching branches."
  2. Select the "Developers" team to grant them merge access while preventing others.

Graphite Protections enhances GitHub’s built-in features by providing additional layers of security and compliance for merge permissions and protected branches. Here’s how to leverage Graphite:

  1. Automated policy enforcement: Graphite can automate the enforcement of your branch protection rules, ensuring compliance without manual checks.

  2. Customizable notifications: Set up alerts to notify team members when someone attempts to merge without the required approvals.

  3. Protection rules at the PR level: Graphite provides tools to control merge requirements at the individual PR level.

Managing merge permissions and protected branches in GitHub is important for maintaining a secure and efficient development workflow. By leveraging GitHub's branch protection features and integrating Graphite Protections, teams can enforce robust policies that safeguard their codebases while fostering collaboration.

Graphite
Git stacked on GitHub

Stacked pull requests are easier to read, easier to write, and easier to manage.
Teams that stack ship better software, faster.

Or install our CLI.
Product Screenshot 1
Product Screenshot 2