I have a few contributors in my github project. I want to allow only one of them to "push" to master. And this guy is not me (the owner of the repository). Is it possible to do?
How to protect "master" in github?
Is it a private project? If it's not, they don't need to be collaborators necessarily - they can fork and use pull requests exclusively (which enforces a level of pseudo-code review to merge changes) –
Rubberize
This functionality is not supported by github, but if you are looking for similar solutions: Assembla Repositories support this: blog.assembla.com/assemblablog/tabid/12618/bid/96330/… DIY - self-hosting git: git-scm.com/book/ch7-4.html DIY - self-hosting mercurial: mercurial.selenic.com/wiki/AclExtension –
Keiko
See also https://mcmap.net/q/277120/-git-support-for-branch-based-user-authorization-best-practices-or-tools –
Biff
possible duplicate of A way to restrict Git branch access? –
Sequence
Sept. 2015: it looks like that feature is coming in GitHub: see my answer below –
Biff
Seems like it is (more or less) possible now; github.com/blog/2137-protected-branches-improvements. Push access for a specific branch can be restricted to certain users now. Admins will be able to push regardless of this setting however. –
Bedford
Back then, when this question was posted, GitHub didn't allow you to specify access privileges on a branch level. You can only do it on a repository level. So what you are requesting wasn't possible.
If you want to work around this limitation, I personally see two options:
- you could use some kind of commit hooks, etc. to at least inform someone that something wrong happened
- If you really need this tight control, you could use two repositories, one only holding your "master" branch. You would then need to make sure that only your "guy" gets write access to the master repository
I think it is easier to solve that with some organisation. In my team, we never push anything directly to master, but instead always create pull requests. That ensures that at least someone takes a look before code gets merged and you could also define a policy that only your "guy" is allowed to merge pull requests.
Update
GitHub now announced that they will roll-out a new feature called protected branches. This feature has been present in other git distributions like Atlassian Stash for years. It will allow you to protect some branches from pushes. However, it still doesn't allow complete ACL-based protection of individual branches. So you might want to check this feature out in case you don't want to rely on an organizational solution as outline above.
"we never push anything directly to master" - because you can't or because you agreed not to? –
Gaiser
Because we agreed to not do it. Sometimes it is easier to find a soft solution instead of a technical. –
Jewry
Btw I think that this is a general issue in git/github workflow! Most people contributing try to commit into master first, in all projects i've seen... –
Pehlevi
If you run into those problems, you might also want to take a look into other hosting services/tools such as Atlassian Stash. They provide branch-based permissions. –
Jewry
Assembla has a good set of features to make different git workflows and code review processes. In Assembla you can protect any branch and give write permissions to certain users. One nice feature is "Enforce code review"; when someone push to master, it remains untouched and a new branch is created instead with the code changes, then automatically creates a merge request from the new branch to the master, so other team member can review/approve the changes. –
Marvelous
We safeguard against accidental pushes to master with hooks + protection on CI side: dimaip.github.io/2015/06/03/protecting-github-branch –
Af
Note: Protected branches and required status checks (September 3, 2015) will allow you to protect a branch
- against forced pushed
- against deletion
- against merged changes until required status checks pass
Since March 2016, as commented by Sander below, you have User and team restrictions
Sometimes merges to a protected branch are best left to a release manager or a team of people responsible for the stability of that particular branch. Organizations can now specify which members and teams are able to push to a protected branch.
pity, you still can't restrict branch access to certain members....Would love that feature for the master branch. –
Dryad
I agree, or at the very least be able to restrict merging to administrators only for protected branches. –
Ballentine
@PratikBothra github.com/blog/2137-protected-branches-improvements Seems like it is possible now. :) –
Bedford
@Bedford I agree. I have edited the answer accordingly. –
Biff
This is exactly what forking was designed for. You would have the main repository protected, and you would allow read permissions on that repository for all contributors. Those contributors would fork the repo, and would push their changes to their personal copies of the main repo. When they are ready to introduce code into the main repository, they would submit a pull request into the main repo. In this case, owners of the main project could complete the pull request.
The problem with the forking/PR workflow is that a member who has "write" privileges on the main repo could still push to it. –
Latent
We can now use "CODEOWNERS" file to Require review from Code Owners to valid a pull request. We can set different permissions based on their GitHub account.
© 2022 - 2024 — McMap. All rights reserved.