Prevent merge without review in GitHub

Kenny DuMez
Kenny DuMez
Graphite software engineer

Ensuring that all changes are properly reviewed before they are merged into the main branch is important for maintaining code quality. GitHub provides several tools to help enforce branch policies, including settings to block merging of pull requests without required reviews. This guide details how to configure your GitHub repository to prevent merges without a review, enhancing your project's integrity and collaboration.

Pull request reviews are critical for:

  • Catching bugs
  • Ensuring code consistency
  • Facilitating context sharing among team members
  • Enhancing code quality through peer feedback

Start by going to your GitHub repository page. Click on "Settings" near the top right of the page, then on the left sidebar, click on "Branches" under the "Code and automation" section.

In the "Branches" section, you’ll find the "Branch protection rules" area. Click on "Add rule" to create a new branch protection rule.

Specify the branch name in the "Branch name pattern" field. Typically, this would be main or whichever other branch you are using as your mainline where merges should be controlled.

Under "Protect matching branches," find and check the option "Require pull request reviews before merging." This setting does the following:

  • Disables direct commits to the protected branches.
  • Requires that all pull requests must be reviewed and approved before merging.

For additional control, you might consider these options:

  • Require review from Code Owners: If you use a CODEOWNERS file, you can enforce that only code owners can approve changes to certain parts of the code.
  • Dismiss stale pull request approvals when new commits are pushed: This ensures that approvals are only valid for the current state of the pull request, requiring re-review if further changes are made after approval.

To fully ensure that no merges occur without review, check the following options under the same settings:

  • Don't allow merging with unresolved conversations: Prevents merging until all comment threads are resolved.
  • Include administrators: Applies the same rules to administrators to ensure that no one can bypass the review requirements.

After configuring the settings, click on "Save changes" at the bottom of the page to enforce the new branch protection rules.

Graphite Protections offer a more nuanced and flexible way to manage pull request reviews and merges, particularly beneficial for teams working in complex environments like monorepos. Here’s how you can leverage Graphite Protections to streamline your code review and merge processes:

Leverage Graphite Protections to tailor merge requirements for individual pull requests, rather than imposing broad, uniform policies across entire code repositories.

Graphite Protections are specifically engineered to facilitate rapid development in monorepos, ensuring compliance without sacrificing speed.

To configure Graphite protections:

  1. Navigate to Graphite Protections settings:

    • Log into your Graphite account and go to the Protections page. This area allows you to configure and enforce custom merge requirements tailored to your project's needs.
  2. Create custom protection rules:

    • Define specific criteria: Set rules based on file path, team, or even specific code segments. For example, you can require that any changes to critical system components, like database schemas, must be reviewed by at least two senior engineers.
    • Conditional approvals: You can specify that certain files or directories require approval from specific team members, which is especially useful in a monorepo setup where different teams own different parts of the codebase.
  3. Integrate with existing GitHub workflows:

    • Graphite Protections seamlessly integrate with GitHub, enhancing existing branch protection rules and CODEOWNERS setups. If a pull request meets the Graphite Protection criteria, it reflects on GitHub as a status check, ensuring compliance before merging.
  4. Set up override conditions:

    • Graphite allows for overrides in special circumstances, such as when an on-call engineer needs to make urgent fixes. These overrides ensure that critical merges are not held up unnecessarily, while still maintaining a record for audit and review.
  5. Monitor and adjust:

    • After setting up the protections, monitor how they impact your team's workflow. Graphite provides real-time feedback on the mergeability of pull requests, helping you fine-tune the protections to balance speed and security effectively.

By adopting Graphite Protections, teams can maintain high standards of code quality and security without sacrificing the flexibility needed for rapid development cycles. This system ensures that all changes, regardless of how small, are reviewed appropriately, reducing the chances of unreviewed code affecting production.

Try out Graphite protections today.

Graphite
Git stacked on GitHub

Stacked pull requests are easier to read, easier to write, and easier to manage.
Teams that stack ship better software, faster.

Or install our CLI.
Product Screenshot 1
Product Screenshot 2