Github added branch protections a while back and recently added another option for requiring reviews.
I tried out requiring reviews and status checks (except for administrators) and liked the workflow. But it has a negative impact on our CI/deployment tool.
For example, when we release a new version, there is an automated process in the CI environment that increments the version number in package.json
, commits it, and pushes it to the repository. There are a few processes like this, such as clean up tasks.
These automated processes don't need reviews or passing status checks (the status checks have already been run at least twice as part of the deployment pipeline by that point). After enabling the branch protections, however, the CI "user" can't push.
remote: error: GH006: Protected branch update failed for refs/heads/master.
remote: error: Required status check "default" is expected. At least one approved review is required
Previously our CI "user" had "write" permissions. I tried giving it "admin" permissions to the repo I was trying this out on, but that's clearly not sufficient; even as an admin, the CI "user" can't push.
In the picture above I tried removing "reviews", hoping the status checks would be fine without further work. Nope!
What I'd ideally like is for the CI "user" to be exempted from these requirements. It doesn't look like that is a feature. Which may mean my only other option is turning most of the protections off, including some of the ones I want.
But there may be some update or change I could make to the existing CI pipeline--or some configuration of protections I could create--that would have this end result:
Anyone done a similar setups or know how to get around the CI "user" being blocked? Since obviously the CI "user" can't physically navigate to a pull request on Github.com and check box next to "Use your administrator privileges to merge this pull request." Is there a CLI flag for --usemyadminprivilegestopushthis
?
Push Protected - GitHub Action. Push to "status check"-protected branches. Push commit(s) to a branch protected by required status checks by creating a temporary branch, where status checks are run, before fast-forward merging it into the protected branch, finally removing the temporary branch.
To enable force pushes on branches that are already protected: Go to your project and select Settings > Repository. Expand Protected branches. In the list of protected branches, next to the branch, turn on the Allowed to force push toggle.
Go to a repository in a project. Choose Settings → Branch permissions. Click Add permission. In the Branches field, select either Branch name, Branch pattern, or Branching model.
I did not actually find out why I was getting the failures; I later couldn't reproduce the problem with the same configuration.
The next day, what worked is what I described.
Protect the branch
But do NOT include administrators for reviews/status checks
Ensure your CI "user" is an administrator
The nice thing about this is the Github UI still encourages administrators to wait for status checks and reviews. Useful in pull request workflows. CLI use, however, is unaffected for administrators aside from not being able to force push or delete--the desired outcome.
If anyone has tips for setups that only require write instead of admin access, or info on how status/review check success is tracked across multiple requests, please share them.
(I believe in my case the CI config was pointing to the wrong repo. It began working the next day, and someone mentioned resetting the config, though I unfortunately couldn't confirm that this applied to every single failure from the info in our logs.)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With