Pull request approval permissions and rules in GitHub

GitHub offers a framework for managing pull request (PR) approvals, to maintain high code quality and ensure that changes meet project standards before they are merged. This guide details the permissions and rules surrounding PR approvals in GitHub, helping teams implement effective collaboration and code governance practices.

Understanding PR approval permissions in GitHub

PR approval permissions determine who can review and approve changes in a pull request. These permissions are crucial for enforcing code review policies and ensuring that only authorized individuals can approve changes.

Who can approve pull requests in GitHub

In GitHub, the following individuals typically have permission to approve PRs:

• Repository collaborators: Users explicitly granted collaborator status on the repository.
• Organization members with write access: Members of an organization who have been given write access to the repository.
• Code owners: Users specified in the CODEOWNERS file in the repository, who are automatically requested for review when changes affect code they own.

GitHub PR approval settings

GitHub allows repository administrators to configure PR approval settings through branch protection rules. These settings can specify:

• Number of required reviews: The minimum number of approvals needed before a PR can be merged.
• Dismiss stale reviews: Automatically dismiss approved reviews when new commits are pushed to the PR.
• Require review from code owners: Enforce that code owners must review changes to code they own before merging.

Pull request approval rules

GitHub's branch protection rules provide several options for managing how approvals are handled within a project:

• Pull request author cannot approve their own pull request: This rule ensures that the author of a PR cannot approve their changes, requiring at least one other team member to review and approve the PR. This practice promotes a more objective code review process.
• Restrict who can dismiss pull request reviews: Control who has the authority to dismiss reviews, which is crucial for maintaining the integrity of the review process.
• Include administrators: Even repository administrators are subject to the same PR approval rules, ensuring that all code undergoes review regardless of the submitter’s role.

Setting up PR approval rules

To set up PR approval rules in GitHub:

1. Navigate to your repository settings: Go to the 'Settings' tab of your repository.
2. Access the branches section: Click on 'Branches' on the left sidebar.
3. Edit or add branch protection rules: Click on 'Add rule' or edit an existing rule for the branch you want to protect.
4. Configure the approval settings: Under 'Pull Request reviews', adjust the settings to meet your project's requirements.
5. Save the changes: Click 'Save changes' to apply the new or updated branch protection rules.

Setting up approval rules per PR instead of per branch

In order to configure rules at the PR level instead of at the branch level you can use Graphite Protections.

Graphite Protections offers many advantages over the more generalized branch-level rulesets available on GitHub:

1. Tailored review processes: GitHub's branch-level rules apply uniformly to all PRs targeting a branch, which can be overly restrictive or too lenient depending on the specific changes in a PR. Graphite Protections allow for more granular control, letting you set rules based on the unique characteristics of each PR, such as the type of files changed, the impact of the changes, or the author of the PR. This ensures that the approval process is appropriately rigorous without being unnecessarily obstructive.

2. Enhanced security and compliance: By enabling PR-specific rules, Graphite Protections ensure that sensitive changes, like modifications to critical infrastructure or security-sensitive code, receive scrutiny from the right reviewers. This targeted approach helps maintain high security standards and compliance with regulatory requirements, reducing the risk of errors or oversights that could arise from a one-size-fits-all rule.

3. Increased efficiency and flexibility: Graphite Protections can adapt the review process to the needs of the moment without overburdening the team. For example, hotfixes or urgent updates can be expedited with simplified requirements, while major feature additions might warrant more thorough reviews. This flexibility helps maintain development velocity without compromising on code quality or team workload.

4. Better resource allocation: With the ability to specify who should review changes based on the content of a PR, teams can better allocate their most appropriate resources. This ensures that reviewers with the most relevant expertise are tasked with examining the changes, leading to more effective and efficient reviews.

5. Integration with existing workflows: Graphite Protections integrate seamlessly with GitHub, enhancing existing workflows without replacing them. Teams can start using Graphite alongside GitHub's branch protection rules and gradually shift towards more dynamic and context-sensitive rules as their needs evolve.

Enable Graphite Protections in your repository today for free.