Protect main from mistaken pushes
#8209
Comments
max-sixty
added
the
needs triage
|
Thanks for flagging this @max-sixty. We've all been there! I support protecting the |
|
Sounds good to me too. |
|
I thought this was already active? See #6833 |
dcherian
removed
the
needs triage
|
it got lost at some point, I guess. I just enabled the "require pull requests" bit again (without any of the other requirements for that), but keep in mind that users with the repository "Admin" role can still override this (via force-push?). |
|
Great, thanks a lot. (I'll close now :) ) |
|
Not sure if something changed but I managed to push directly to main today, 42fd510. |
|
the branch protection should still be in place (including the "require pull request" rule), so I'm not sure why you were able to do that. I also checked the github changelog up until last year and didn't find anything, so really no clue why you were able to do that. I've enabled "Do not allow bypassing the above settings" just in case, but we might have to experiment with the rules. |
|
I just tried creating a new branch, creating the exact same rules, and the push to the branch again. This was rejected, so I really have no idea why you were able to push to Unless you were force-pushing? In that case you won't be able to do so anymore because of the "Do not allow bypassing the above settings" I enabled earlier. |
|
hmm, I managed to push again, f85da8a. |
|
you're right, I forgot to click "save changes" 🤦♂️. It should be active now, and I can confirm that I can't push to Also, for future tests: you can create empty commits by passing |
|
The problem with enabling this: ...is that we then can't merge if there are any failures on main. 
...which includes the current state with mypy failures. Ideally we would be able to disable pushing to main and allowing getting around the merge restriction (while maintaining the required checks). I don't think that's possible. Does anyone know any better? (another option would be pinning dependencies so we don't get these long-running failures on main. But that either needs our own solution or to move to poetry from conda...) I'll turn the restriction back on so as to not disturb anything, but I think it probably needs to be turned off. |
I turned the restriction off gain, and this time I left it off, since I don't think there's a way around it while main is broken. We can also turn it on when we fix main. ...or if anyone has other ideas lmk! |
|
yeah, probably. So that means that we're protected against accidental pushes, just not force pushes... though in general people should have a habit of double / triple checking what they're doing when it comes to force-pushing, and if you're not sure it's probably best to install some kind of pre-push hook that disallows pushes to |
No, this doesn't protect against normal pushes either...
|
|
We could simply add the This would prevent commits on your local main (but only if you have pre-commit-hooks enabled, which I highly recommend!) |
Yes good idea! (though re the recommendation — I find it slows down committing — I instead run |
|
you're right, though as far as I remember this used to work. Looks like the "branch protection" feature has been completely broken (even worse, without warning), and we have to use the new "ruleset" feature. I just created one for |
This seems to block merging anything!
|
|
okay, more details (hopefully correct this time): it appears branch protection rules don't apply by default to repository admins, which it seems you all are. So to resolve this using protection rules, we'd need two different sets: one for push protection that can't be bypassed by admins, and one for the required status checks that can be bypassed. |
|
I've tried just that (and I still see the "bypass branch protections" for the merge button), but hopefully you can't push to main anymore. Edit: I can confirm that is not possible anymore. So now we have a branch protection rule that makes sure nobody can push to |
|
Nice work @keewis re the two rulesets. (it's odd from GH that it's kinda complicated to do the thing that seems very reasonable...) I think we can close now? |
What is your issue?
Hi team — apologies but I mistakenly pushed to main. Less than a minute later I pushed another commit reverting the commit.
I'll check my git shortcuts tomorrow to ensure this can't happen by default — I thought I had the push remote set correctly, but possibly something doesn't use that.
Would we consider adding protection from pushes to
main? (Am not blaming that setting tbc...)(Will close this issue)
The text was updated successfully, but these errors were encountered: