[CIG-SEISMO] Using Github Protected Branches
Rene Gassmoeller
rene.gassmoeller at mailbox.org
Wed Mar 14 15:42:43 PDT 2018
Hi all,
let me join in on this as one of the maintainers of the ASPECT mantle
convection code. We had the branch protection on Github enabled for our
master branch for several years now (in addition to the automatic tester
that tests pull requests). There are two scenarios in which this can be
helpful:
One of your project's developers (no admin, otherwise you are out of
luck in any case) account is hacked. They have write access to the
repository, but can not change their rights on github. Without a
protected master branch they can force-push to that branch or more
dangerously reset it and delete the complete project history. You would
then need to restore it from a local copy somewhere (hopefully you have
one). They can of course still merge bogus pull requests (unless you add
the required status checks protection), but all of that can be reverted.
The other scenario does not even need evil intentions. Let's assume you
are in a hurry to fix a bug and you do this on the master branch (you
should be on a feature branch, but the next seminar is in 5 minutes and
you can create the branch later). You do not finish the fix, but want to
save the history so you push to your personal github repo for now to
create the pull request later. 'git push origin master'. Unfortunately
you did this on the cluster where you cloned the repository and you
cloned from the main repository instead of your own, so you mess up the
master branch. You walk away and your repo is in an unusable state until
you return or somebody notices. Every user who updated in the meantime
gets an unusable version, and worse, they will get a conflict unless you
fix up the master branch with a new commit (instead of reset it) and
keep the messed up commit in there.
Now I admit these cases need bad luck, but that can happen to anyone
(even experienced admins). While we had no attempts to delete our master
branch yet, people did accidentally upload branches to the main
repository without realizing and having the branch protection on just
gives us some extra peace of mind. Of course that is the decision of
every project, but I personally feel a protected master branch should be
included in the set of best practices.
Cheers,
Rene
On 03/14/2018 02:43 PM, Tyler Esser wrote:
> This conversation was originally started with the SPECFEM Admins
> Github team. There were requests from other people to join the
> discussion so we decided to post it to the mailing list.
>
>
> Tyler Esser
>
>
> ---------- Forwarded message ----------
> From: *Tyler Esser* <notifications at github.com
> <mailto:notifications at github.com>>
> Date: Fri, Mar 9, 2018 at 1:05 PM
> Subject: [geodynamics/specfem-admins] Using Github's protected
> branches (#1)
> To: geodynamics/specfem-admins <"SPECFEM Admins"@noreply.github.com
> <http://noreply.github.com>>
> Cc: Tyler Esser <tjesser at ucdavis.edu <mailto:tjesser at ucdavis.edu>>,
> Your activity <your_activity at noreply.github.com
> <mailto:your_activity at noreply.github.com>>
>
>
> Hi SPECFEM admins,
>
> CIG recently had a discussion with a CIG project dev about protecting
> branches from certain actions and discovered that Github has a
> protected branch feature. The option seems to be a good general
> practice and so I wanted to ask what you thought about turning it on
> for SPECFEM master branches. Github documentation for the feature is
> here: https://help.github.com/articles/about-protected-branches/
> <https://help.github.com/articles/about-protected-branches/>
>
> Mostly we were interested in preventing accidental deletion or
> altering git history with force pushing, but there are other options
> that may be worth using. See the attached picture.
>
> protectedbranches
> <https://user-images.githubusercontent.com/15039903/37229838-3e206a58-239a-11e8-8849-4d53b31bb735.png>
>
> The Github team interface seemed the best way to contact you when
> dealing with Github administration issues. Please let me know if you
> would have preferred a different method.
>
> Tyler Esser
>
> —
> You are receiving this because you are subscribed to this thread.
> Reply to this email directly, view it on GitHub
> <https://github.com/orgs/geodynamics/teams/specfem-admins/discussions/1>,
> or mute the thread
> <https://github.com/notifications/unsubscribe-auth/AOV9nzrbX2pJT4Ic82_OqHyMeMhIB0DGks5tcu6hgaJpZM4Sk3gA>.
>
>
>
> ---------- Forwarded message ----------
> From: *daniel peter* <notifications at github.com
> <mailto:notifications at github.com>>
> Date: Fri, Mar 9, 2018 at 11:20 PM
> Subject: Re: [geodynamics/specfem-admins] Using Github's protected
> branches (#1)
> To: geodynamics/specfem-admins <"SPECFEM Admins"@noreply.github.com
> <http://noreply.github.com>>
> Cc: Tyler Esser <tjesser at ucdavis.edu <mailto:tjesser at ucdavis.edu>>,
> Author <author at noreply.github.com <mailto:author at noreply.github.com>>
>
>
> Hi Tyler,
>
> probably David has a better answer, since he put most of this already
> in place. I think we already protect the master branch in all SPECFEM
> repos. no pull requests are allowed on master by users. only admins
> are allowed to push/merge commits to it. so the most important
> safeguards from above are already in place.
>
> as it seems to work pretty well so far for us, i don't see much need
> for further restrictions.
>
> best wishes,
> daniel
>
> —
> You are receiving this because you authored the thread.
> Reply to this email directly, view it on GitHub
> <https://github.com/orgs/geodynamics/teams/specfem-admins/discussions/1/comments/1>,
> or mute the thread
> <https://github.com/notifications/unsubscribe-auth/AOV9n0lH-Vma93h_RD2hoK0c6U4aI7Gaks5tc368gaJpZM4Sk3gA>.
>
>
>
> ---------- Forwarded message ----------
> From: *Tyler Esser* <notifications at github.com
> <mailto:notifications at github.com>>
> Date: Mon, Mar 12, 2018 at 5:18 PM
> Subject: Re: [geodynamics/specfem-admins] Using Github's protected
> branches (#1)
> To: geodynamics/specfem-admins <"SPECFEM Admins"@noreply.github.com
> <http://noreply.github.com>>
> Cc: Tyler Esser <tjesser at ucdavis.edu <mailto:tjesser at ucdavis.edu>>,
> Your activity <your_activity at noreply.github.com
> <mailto:your_activity at noreply.github.com>>
>
>
> When you say the master branch is already protected, are you referring
> to Github branch protection or are you referring to the Github teams
> SPECFEM Admins
> <https://github.com/orgs/geodynamics/teams/specfem-admins/members> and
> SPECFEM Devs
> <https://github.com/orgs/geodynamics/teams/specfem-developers/members>
> being exclusive?
>
> As far as I can tell, the people in those teams have permission to
> push, merge, force push, and/or delete any branch in the SPECFEM
> repos. If I understand you correctly, that's fine because everyone in
> those teams is already trusted. Is that correct?
>
> Tyler
>
> —
> You are receiving this because you are subscribed to this thread.
> Reply to this email directly, view it on GitHub
> <https://github.com/orgs/geodynamics/teams/specfem-admins/discussions/1/comments/2>,
> or mute the thread
> <https://github.com/notifications/unsubscribe-auth/AOV9nyUcEMGqU9oUvZeIZYzYee5129W9ks5tdxBkgaJpZM4Sk3gA>.
>
>
>
> ---------- Forwarded message ----------
> From: *daniel peter* <notifications at github.com
> <mailto:notifications at github.com>>
> Date: Tue, Mar 13, 2018 at 1:46 AM
> Subject: Re: [geodynamics/specfem-admins] Using Github's protected
> branches (#1)
> To: geodynamics/specfem-admins <"SPECFEM Admins"@noreply.github.com
> <http://noreply.github.com>>
> Cc: Tyler Esser <tjesser at ucdavis.edu <mailto:tjesser at ucdavis.edu>>,
> Author <author at noreply.github.com <mailto:author at noreply.github.com>>
>
>
> the master branch is protected by buildbot, which David set up. every
> pull request goes through buildbot which will close it automatically
> if the request is towards the master branch.
>
> and yes, only those team admins are allowed to push, merge, etc. on
> the master/devel branch which is fine, as they probably know what
> they're doing :)
>
> -daniel
>
> —
> You are receiving this because you authored the thread.
> Reply to this email directly, view it on GitHub
> <https://github.com/orgs/geodynamics/teams/specfem-admins/discussions/1/comments/3>,
> or mute the thread
> <https://github.com/notifications/unsubscribe-auth/AOV9n6HUbKXXf0UdPXfPH9BEZBAhWekyks5td4d-gaJpZM4Sk3gA>.
>
>
>
> ---------- Forwarded message ----------
> From: *Tyler Esser* <notifications at github.com
> <mailto:notifications at github.com>>
> Date: Wed, Mar 14, 2018 at 12:09 PM
> Subject: Re: [geodynamics/specfem-admins] Using Github's protected
> branches (#1)
> To: geodynamics/specfem-admins <"SPECFEM Admins"@noreply.github.com
> <http://noreply.github.com>>
> Cc: Tyler Esser <tjesser at ucdavis.edu <mailto:tjesser at ucdavis.edu>>,
> Your activity <your_activity at noreply.github.com
> <mailto:your_activity at noreply.github.com>>
>
>
> There's been a few requests to join this discussion. Do you mind if I
> copy this thread to the cig-seismo mailing list?
>
> Tyler
>
> —
> You are receiving this because you are subscribed to this thread.
> Reply to this email directly, view it on GitHub
> <https://github.com/orgs/geodynamics/teams/specfem-admins/discussions/1/comments/4>,
> or mute the thread
> <https://github.com/notifications/unsubscribe-auth/AOV9nzlkfKRWyqhmOX1y-zJG6VFZKEobks5teWrngaJpZM4Sk3gA>.
>
>
>
> ---------- Forwarded message ----------
> From: *daniel peter* <notifications at github.com
> <mailto:notifications at github.com>>
> Date: Wed, Mar 14, 2018 at 1:49 PM
> Subject: Re: [geodynamics/specfem-admins] Using Github's protected
> branches (#1)
> To: geodynamics/specfem-admins <"SPECFEM Admins"@noreply.github.com
> <http://noreply.github.com>>
> Cc: Tyler Esser <tjesser at ucdavis.edu <mailto:tjesser at ucdavis.edu>>,
> Author <author at noreply.github.com <mailto:author at noreply.github.com>>
>
>
> sure, let's see some more opinions :)
>
> —
> You are receiving this because you authored the thread.
> Reply to this email directly, view it on GitHub
> <https://github.com/orgs/geodynamics/teams/specfem-admins/discussions/1/comments/5>,
> or mute the thread
> <https://github.com/notifications/unsubscribe-auth/AOV9n9qaWMmQTY0OsoY2qXDakvb2EIIlks5teYJngaJpZM4Sk3gA>.
>
>
>
>
>
> _______________________________________________
> CIG-SEISMO mailing list
> CIG-SEISMO at geodynamics.org
> http://lists.geodynamics.org/cgi-bin/mailman/listinfo/cig-seismo
--
Rene Gassmoeller
http://www.math.colostate.edu/~gassmoel/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.geodynamics.org/pipermail/cig-seismo/attachments/20180314/92fcff06/attachment-0001.html>
More information about the CIG-SEISMO
mailing list