Ensuring that all changes are properly reviewed before they are merged into the main branch is important for maintaining code quality. GitHub provides several tools to help enforce branch policies, including settings to block merging of pull requests without required reviews. This guide details how to configure your GitHub repository to prevent merges without a review, enhancing your project's integrity and collaboration.
Understanding the need for pull request reviews
Pull request reviews are critical for:
- Catching bugs
- Ensuring code consistency
- Facilitating context sharing among team members
- Enhancing code quality through peer feedback
Steps to prevent unreviewed merges in GitHub
1. Navigate to your repository settings
Start by going to your GitHub repository page. Click on "Settings" near the top right of the page, then on the left sidebar, click on "Branches" under the "Code and automation" section.
2. Set up branch protection rules
In the "Branches" section, you’ll find the "Branch protection rules" area. Click on "Add rule" to create a new branch protection rule.
3. Apply the rule to the main branch
Specify the branch name in the "Branch name pattern" field. Typically, this would be main
or whichever other branch you are using as your mainline where merges should be controlled.
4. Enable required reviews
Under "Protect matching branches," find and check the option "Require pull request reviews before merging." This setting does the following:
- Disables direct commits to the protected branches.
- Requires that all pull requests must be reviewed and approved before merging.
5. Additional review restrictions (optional)
For additional control, you might consider these options:
- Require review from Code Owners: If you use a CODEOWNERS file, you can enforce that only code owners can approve changes to certain parts of the code.
- Dismiss stale pull request approvals when new commits are pushed: This ensures that approvals are only valid for the current state of the pull request, requiring re-review if further changes are made after approval.
6. Block the merge operations
To fully ensure that no merges occur without review, check the following options under the same settings:
- Don't allow merging with unresolved conversations: Prevents merging until all comment threads are resolved.
- Include administrators: Applies the same rules to administrators to ensure that no one can bypass the review requirements.
7. Save the changes
After configuring the settings, click on "Save changes" at the bottom of the page to enforce the new branch protection rules.
Graphite Protections offer a more nuanced and flexible way to manage pull request reviews and merges, particularly beneficial for teams working in complex environments like monorepos. Here’s how you can leverage Graphite Protections to streamline your code review and merge processes:
Control merge requirements for specific PRs
Leverage Graphite Protections to tailor merge requirements for individual pull requests, rather than imposing broad, uniform policies across entire code repositories.
Graphite Protections are specifically engineered to facilitate rapid development in monorepos, ensuring compliance without sacrificing speed.
To configure Graphite protections:
Navigate to Graphite Protections settings:
- Log into your Graphite account and go to the Protections page. This area allows you to configure and enforce custom merge requirements tailored to your project's needs.
Create custom protection rules:
- Define specific criteria: Set rules based on file path, team, or even specific code segments. For example, you can require that any changes to critical system components, like database schemas, must be reviewed by at least two senior engineers.
- Conditional approvals: You can specify that certain files or directories require approval from specific team members, which is especially useful in a monorepo setup where different teams own different parts of the codebase.
Integrate with existing GitHub workflows:
- Graphite Protections seamlessly integrate with GitHub, enhancing existing branch protection rules and CODEOWNERS setups. If a pull request meets the Graphite Protection criteria, it reflects on GitHub as a status check, ensuring compliance before merging.
Set up override conditions:
- Graphite allows for overrides in special circumstances, such as when an on-call engineer needs to make urgent fixes. These overrides ensure that critical merges are not held up unnecessarily, while still maintaining a record for audit and review.
Monitor and adjust:
- After setting up the protections, monitor how they impact your team's workflow. Graphite provides real-time feedback on the mergeability of pull requests, helping you fine-tune the protections to balance speed and security effectively.
By adopting Graphite Protections, teams can maintain high standards of code quality and security without sacrificing the flexibility needed for rapid development cycles. This system ensures that all changes, regardless of how small, are reviewed appropriately, reducing the chances of unreviewed code affecting production.
Try out Graphite protections today.