[CIG-SEISMO] Using Github Protected Branches

Dimitri Komatitsch komatitsch at lma.cnrs-mrs.fr
Wed Mar 14 16:11:50 PDT 2018 

Hi all,

Thanks for the discussion.

I went to https://help.github.com/articles/about-protected-branches but 
it is not clear to me how one then makes changes in the protected branch 
(for instance to release a new version of the code by merging "devel" 
into "master", which we do a few times a year). If that can still be 
done very easily (if so, how?), then why not; if that becomes complex, 
then it is likely too complex, at least for SPECFEM.

Thanks,
Best regards,
Dimitri.

On 03/14/2018 11:42 PM, Rene Gassmoeller wrote:
> Hi all,
> 
> let me join in on this as one of the maintainers of the ASPECT mantle 
> convection code. We had the branch protection on Github enabled for our 
> master branch for several years now (in addition to the automatic tester 
> that tests pull requests). There are two scenarios in which this can be 
> helpful:
> 
> One of your project's developers (no admin, otherwise you are out of 
> luck in any case) account is hacked. They have write access to the 
> repository, but can not change their rights on github. Without a 
> protected master branch they can force-push to that branch or more 
> dangerously reset it and delete the complete project history. You would 
> then need to restore it from a local copy somewhere (hopefully you have 
> one). They can of course still merge bogus pull requests (unless you add 
> the required status checks protection), but all of that can be reverted.
> 
> The other scenario does not even need evil intentions. Let's assume you 
> are in a hurry to fix a bug and you do this on the master branch (you 
> should be on a feature branch, but the next seminar is in 5 minutes and 
> you can create the branch later). You do not finish the fix, but want to 
> save the history so you push to your personal github repo for now to 
> create the pull request later. 'git push origin master'. Unfortunately 
> you did this on the cluster where you cloned the repository and you 
> cloned from the main repository instead of your own, so you mess up the 
> master branch. You walk away and your repo is in an unusable state until 
> you return or somebody notices. Every user who updated in the meantime 
> gets an unusable version, and worse, they will get a conflict unless you 
> fix up the master branch with a new commit (instead of reset it) and 
> keep the messed up commit in there.
> 
> Now I admit these cases need bad luck, but that can happen to anyone 
> (even experienced admins). While we had no attempts to delete our master 
> branch yet, people did accidentally upload branches to the main 
> repository without realizing and having the branch protection on just 
> gives us some extra peace of mind. Of course that is the decision of 
> every project, but I personally feel a protected master branch should be 
> included in the set of best practices.
> 
> Cheers,
> 
> Rene
> 
> 
> On 03/14/2018 02:43 PM, Tyler Esser wrote:
>> This conversation was originally started with the SPECFEM Admins 
>> Github team. There were requests from other people to join the 
>> discussion so we decided to post it to the mailing list.
>>
>>
>> Tyler Esser
>>
>>
>> ---------- Forwarded message ----------
>> From: *Tyler Esser* <notifications at github.com 
>> <mailto:notifications at github.com>>
>> Date: Fri, Mar 9, 2018 at 1:05 PM
>> Subject: [geodynamics/specfem-admins] Using Github's protected 
>> branches (#1)
>> To: geodynamics/specfem-admins <"SPECFEM Admins"@noreply.github.com 
>> <http://noreply.github.com>>
>> Cc: Tyler Esser <tjesser at ucdavis.edu <mailto:tjesser at ucdavis.edu>>, 
>> Your activity <your_activity at noreply.github.com 
>> <mailto:your_activity at noreply.github.com>>
>>
>>
>> Hi SPECFEM admins,
>>
>> CIG recently had a discussion with a CIG project dev about protecting 
>> branches from certain actions and discovered that Github has a 
>> protected branch feature. The option seems to be a good general 
>> practice and so I wanted to ask what you thought about turning it on 
>> for SPECFEM master branches. Github documentation for the feature is 
>> here: https://help.github.com/articles/about-protected-branches/ 
>> <https://help.github.com/articles/about-protected-branches/>
>>
>> Mostly we were interested in preventing accidental deletion or 
>> altering git history with force pushing, but there are other options 
>> that may be worth using. See the attached picture.
>>
>> protectedbranches 
>> <https://user-images.githubusercontent.com/15039903/37229838-3e206a58-239a-11e8-8849-4d53b31bb735.png>
>>
>> The Github team interface seemed the best way to contact you when 
>> dealing with Github administration issues. Please let me know if you 
>> would have preferred a different method.
>>
>> Tyler Esser
>>
>>>> You are receiving this because you are subscribed to this thread.
>> Reply to this email directly, view it on GitHub 
>> <https://github.com/orgs/geodynamics/teams/specfem-admins/discussions/1>, 
>> or mute the thread 
>> <https://github.com/notifications/unsubscribe-auth/AOV9nzrbX2pJT4Ic82_OqHyMeMhIB0DGks5tcu6hgaJpZM4Sk3gA>.
>>
>>
>>
>> ---------- Forwarded message ----------
>> From: *daniel peter* <notifications at github.com 
>> <mailto:notifications at github.com>>
>> Date: Fri, Mar 9, 2018 at 11:20 PM
>> Subject: Re: [geodynamics/specfem-admins] Using Github's protected 
>> branches (#1)
>> To: geodynamics/specfem-admins <"SPECFEM Admins"@noreply.github.com 
>> <http://noreply.github.com>>
>> Cc: Tyler Esser <tjesser at ucdavis.edu <mailto:tjesser at ucdavis.edu>>, 
>> Author <author at noreply.github.com <mailto:author at noreply.github.com>>
>>
>>
>> Hi Tyler,
>>
>> probably David has a better answer, since he put most of this already 
>> in place. I think we already protect the master branch in all SPECFEM 
>> repos. no pull requests are allowed on master by users. only admins 
>> are allowed to push/merge commits to it. so the most important 
>> safeguards from above are already in place.
>>
>> as it seems to work pretty well so far for us, i don't see much need 
>> for further restrictions.
>>
>> best wishes,
>> daniel
>>
>>>> You are receiving this because you authored the thread.
>> Reply to this email directly, view it on GitHub 
>> <https://github.com/orgs/geodynamics/teams/specfem-admins/discussions/1/comments/1>, 
>> or mute the thread 
>> <https://github.com/notifications/unsubscribe-auth/AOV9n0lH-Vma93h_RD2hoK0c6U4aI7Gaks5tc368gaJpZM4Sk3gA>.
>>
>>
>>
>> ---------- Forwarded message ----------
>> From: *Tyler Esser* <notifications at github.com 
>> <mailto:notifications at github.com>>
>> Date: Mon, Mar 12, 2018 at 5:18 PM
>> Subject: Re: [geodynamics/specfem-admins] Using Github's protected 
>> branches (#1)
>> To: geodynamics/specfem-admins <"SPECFEM Admins"@noreply.github.com 
>> <http://noreply.github.com>>
>> Cc: Tyler Esser <tjesser at ucdavis.edu <mailto:tjesser at ucdavis.edu>>, 
>> Your activity <your_activity at noreply.github.com 
>> <mailto:your_activity at noreply.github.com>>
>>
>>
>> When you say the master branch is already protected, are you referring 
>> to Github branch protection or are you referring to the Github teams 
>> SPECFEM Admins 
>> <https://github.com/orgs/geodynamics/teams/specfem-admins/members> and 
>> SPECFEM Devs 
>> <https://github.com/orgs/geodynamics/teams/specfem-developers/members> 
>> being exclusive?
>>
>> As far as I can tell, the people in those teams have permission to 
>> push, merge, force push, and/or delete any branch in the SPECFEM 
>> repos. If I understand you correctly, that's fine because everyone in 
>> those teams is already trusted. Is that correct?
>>
>> Tyler
>>
>>>> You are receiving this because you are subscribed to this thread.
>> Reply to this email directly, view it on GitHub 
>> <https://github.com/orgs/geodynamics/teams/specfem-admins/discussions/1/comments/2>, 
>> or mute the thread 
>> <https://github.com/notifications/unsubscribe-auth/AOV9nyUcEMGqU9oUvZeIZYzYee5129W9ks5tdxBkgaJpZM4Sk3gA>.
>>
>>
>>
>> ---------- Forwarded message ----------
>> From: *daniel peter* <notifications at github.com 
>> <mailto:notifications at github.com>>
>> Date: Tue, Mar 13, 2018 at 1:46 AM
>> Subject: Re: [geodynamics/specfem-admins] Using Github's protected 
>> branches (#1)
>> To: geodynamics/specfem-admins <"SPECFEM Admins"@noreply.github.com 
>> <http://noreply.github.com>>
>> Cc: Tyler Esser <tjesser at ucdavis.edu <mailto:tjesser at ucdavis.edu>>, 
>> Author <author at noreply.github.com <mailto:author at noreply.github.com>>
>>
>>
>> the master branch is protected by buildbot, which David set up. every 
>> pull request goes through buildbot which will close it automatically 
>> if the request is towards the master branch.
>>
>> and yes, only those team admins are allowed to push, merge, etc. on 
>> the master/devel branch which is fine, as they probably know what 
>> they're doing :)
>>
>> -daniel
>>
>>>> You are receiving this because you authored the thread.
>> Reply to this email directly, view it on GitHub 
>> <https://github.com/orgs/geodynamics/teams/specfem-admins/discussions/1/comments/3>, 
>> or mute the thread 
>> <https://github.com/notifications/unsubscribe-auth/AOV9n6HUbKXXf0UdPXfPH9BEZBAhWekyks5td4d-gaJpZM4Sk3gA>.
>>
>>
>>
>> ---------- Forwarded message ----------
>> From: *Tyler Esser* <notifications at github.com 
>> <mailto:notifications at github.com>>
>> Date: Wed, Mar 14, 2018 at 12:09 PM
>> Subject: Re: [geodynamics/specfem-admins] Using Github's protected 
>> branches (#1)
>> To: geodynamics/specfem-admins <"SPECFEM Admins"@noreply.github.com 
>> <http://noreply.github.com>>
>> Cc: Tyler Esser <tjesser at ucdavis.edu <mailto:tjesser at ucdavis.edu>>, 
>> Your activity <your_activity at noreply.github.com 
>> <mailto:your_activity at noreply.github.com>>
>>
>>
>> There's been a few requests to join this discussion. Do you mind if I 
>> copy this thread to the cig-seismo mailing list?
>>
>> Tyler
>>
>>>> You are receiving this because you are subscribed to this thread.
>> Reply to this email directly, view it on GitHub 
>> <https://github.com/orgs/geodynamics/teams/specfem-admins/discussions/1/comments/4>, 
>> or mute the thread 
>> <https://github.com/notifications/unsubscribe-auth/AOV9nzlkfKRWyqhmOX1y-zJG6VFZKEobks5teWrngaJpZM4Sk3gA>.
>>
>>
>>
>> ---------- Forwarded message ----------
>> From: *daniel peter* <notifications at github.com 
>> <mailto:notifications at github.com>>
>> Date: Wed, Mar 14, 2018 at 1:49 PM
>> Subject: Re: [geodynamics/specfem-admins] Using Github's protected 
>> branches (#1)
>> To: geodynamics/specfem-admins <"SPECFEM Admins"@noreply.github.com 
>> <http://noreply.github.com>>
>> Cc: Tyler Esser <tjesser at ucdavis.edu <mailto:tjesser at ucdavis.edu>>, 
>> Author <author at noreply.github.com <mailto:author at noreply.github.com>>
>>
>>
>> sure, let's see some more opinions :)
>>
>>>> You are receiving this because you authored the thread.
>> Reply to this email directly, view it on GitHub 
>> <https://github.com/orgs/geodynamics/teams/specfem-admins/discussions/1/comments/5>, 
>> or mute the thread 
>> <https://github.com/notifications/unsubscribe-auth/AOV9n9qaWMmQTY0OsoY2qXDakvb2EIIlks5teYJngaJpZM4Sk3gA>.
>>
>>
>>
>>
>>
>> _______________________________________________
>> CIG-SEISMO mailing list
>> CIG-SEISMO at geodynamics.org
>> http://lists.geodynamics.org/cgi-bin/mailman/listinfo/cig-seismo
> 
> -- 
> Rene Gassmoeller
> http://www.math.colostate.edu/~gassmoel/
> 
> 
> 
> _______________________________________________
> CIG-SEISMO mailing list
> CIG-SEISMO at geodynamics.org
> http://lists.geodynamics.org/cgi-bin/mailman/listinfo/cig-seismo
> 

-- 
Dimitri Komatitsch, CNRS Research Director (DR CNRS)
Laboratory of Mechanics and Acoustics, Marseille, France
http://komatitsch.free.fr

More information about the CIG-SEISMO mailing list