[CIG-SEISMO] Using Github Protected Branches
Rene Gassmoeller
rene.gassmoeller at mailbox.org
Wed Mar 14 16:13:47 PDT 2018
Oh, I was not clear about that. The options are enabled for admins as
well (no force push, no deletions of the master branch), but if you are
an admin you can remove the protected branch feature on github, so if
you are hacked then you are out of luck. It protects me as an admin from
my own mistakes (which inevitably happen), but it can not save me if
somebody compromises my account.
I should also mention that the protected branch feature only keeps you
from doing things that you would / should never want to do anyway. It
just prevents accidents.
Best,
Rene
On 03/14/2018 04:08 PM, Tyler Esser wrote:
> Talking with Louise and Lorraine, it seems that CIG's position is that
> anything that protects against accidents or compromised accounts is
> seen as best practices. Rene mentioned that having an admin make a
> mistake means you're out of luck, but protected branches do have the
> option to enforce their settings even on admins. Have the Aspect devs
> discussed flipping that switch and applying the limitations to admins
> as well?
>
>
> Tyler
>
> On Wed, Mar 14, 2018 at 3:42 PM, Rene Gassmoeller
> <rene.gassmoeller at mailbox.org <mailto:rene.gassmoeller at mailbox.org>>
> wrote:
>
> Hi all,
>
> let me join in on this as one of the maintainers of the ASPECT
> mantle convection code. We had the branch protection on Github
> enabled for our master branch for several years now (in addition
> to the automatic tester that tests pull requests). There are two
> scenarios in which this can be helpful:
>
> One of your project's developers (no admin, otherwise you are out
> of luck in any case) account is hacked. They have write access to
> the repository, but can not change their rights on github. Without
> a protected master branch they can force-push to that branch or
> more dangerously reset it and delete the complete project history.
> You would then need to restore it from a local copy somewhere
> (hopefully you have one). They can of course still merge bogus
> pull requests (unless you add the required status checks
> protection), but all of that can be reverted.
>
> The other scenario does not even need evil intentions. Let's
> assume you are in a hurry to fix a bug and you do this on the
> master branch (you should be on a feature branch, but the next
> seminar is in 5 minutes and you can create the branch later). You
> do not finish the fix, but want to save the history so you push to
> your personal github repo for now to create the pull request
> later. 'git push origin master'. Unfortunately you did this on the
> cluster where you cloned the repository and you cloned from the
> main repository instead of your own, so you mess up the master
> branch. You walk away and your repo is in an unusable state until
> you return or somebody notices. Every user who updated in the
> meantime gets an unusable version, and worse, they will get a
> conflict unless you fix up the master branch with a new commit
> (instead of reset it) and keep the messed up commit in there.
>
> Now I admit these cases need bad luck, but that can happen to
> anyone (even experienced admins). While we had no attempts to
> delete our master branch yet, people did accidentally upload
> branches to the main repository without realizing and having the
> branch protection on just gives us some extra peace of mind. Of
> course that is the decision of every project, but I personally
> feel a protected master branch should be included in the set of
> best practices.
>
> Cheers,
>
> Rene
>
>
> On 03/14/2018 02:43 PM, Tyler Esser wrote:
>> This conversation was originally started with the SPECFEM Admins
>> Github team. There were requests from other people to join the
>> discussion so we decided to post it to the mailing list.
>>
>>
>> Tyler Esser
>>
>>
>> ---------- Forwarded message ----------
>> From: *Tyler Esser* <notifications at github.com
>> <mailto:notifications at github.com>>
>> Date: Fri, Mar 9, 2018 at 1:05 PM
>> Subject: [geodynamics/specfem-admins] Using Github's protected
>> branches (#1)
>> To: geodynamics/specfem-admins <"SPECFEM
>> Admins"@noreply.github.com <http://noreply.github.com>>
>> Cc: Tyler Esser <tjesser at ucdavis.edu
>> <mailto:tjesser at ucdavis.edu>>, Your activity
>> <your_activity at noreply.github.com
>> <mailto:your_activity at noreply.github.com>>
>>
>>
>> Hi SPECFEM admins,
>>
>> CIG recently had a discussion with a CIG project dev about
>> protecting branches from certain actions and discovered that
>> Github has a protected branch feature. The option seems to be a
>> good general practice and so I wanted to ask what you thought
>> about turning it on for SPECFEM master branches. Github
>> documentation for the feature is here:
>> https://help.github.com/articles/about-protected-branches/
>> <https://help.github.com/articles/about-protected-branches/>
>>
>> Mostly we were interested in preventing accidental deletion or
>> altering git history with force pushing, but there are other
>> options that may be worth using. See the attached picture.
>>
>> protectedbranches
>> <https://user-images.githubusercontent.com/15039903/37229838-3e206a58-239a-11e8-8849-4d53b31bb735.png>
>>
>> The Github team interface seemed the best way to contact you when
>> dealing with Github administration issues. Please let me know if
>> you would have preferred a different method.
>>
>> Tyler Esser
>>
>> —
>> You are receiving this because you are subscribed to this thread.
>> Reply to this email directly, view it on GitHub
>> <https://github.com/orgs/geodynamics/teams/specfem-admins/discussions/1>,
>> or mute the thread
>> <https://github.com/notifications/unsubscribe-auth/AOV9nzrbX2pJT4Ic82_OqHyMeMhIB0DGks5tcu6hgaJpZM4Sk3gA>.
>>
>>
>>
>> ---------- Forwarded message ----------
>> From: *daniel peter* <notifications at github.com
>> <mailto:notifications at github.com>>
>> Date: Fri, Mar 9, 2018 at 11:20 PM
>> Subject: Re: [geodynamics/specfem-admins] Using Github's
>> protected branches (#1)
>> To: geodynamics/specfem-admins <"SPECFEM
>> Admins"@noreply.github.com <http://noreply.github.com>>
>> Cc: Tyler Esser <tjesser at ucdavis.edu
>> <mailto:tjesser at ucdavis.edu>>, Author <author at noreply.github.com
>> <mailto:author at noreply.github.com>>
>>
>>
>> Hi Tyler,
>>
>> probably David has a better answer, since he put most of this
>> already in place. I think we already protect the master branch in
>> all SPECFEM repos. no pull requests are allowed on master by
>> users. only admins are allowed to push/merge commits to it. so
>> the most important safeguards from above are already in place.
>>
>> as it seems to work pretty well so far for us, i don't see much
>> need for further restrictions.
>>
>> best wishes,
>> daniel
>>
>> —
>> You are receiving this because you authored the thread.
>> Reply to this email directly, view it on GitHub
>> <https://github.com/orgs/geodynamics/teams/specfem-admins/discussions/1/comments/1>,
>> or mute the thread
>> <https://github.com/notifications/unsubscribe-auth/AOV9n0lH-Vma93h_RD2hoK0c6U4aI7Gaks5tc368gaJpZM4Sk3gA>.
>>
>>
>>
>> ---------- Forwarded message ----------
>> From: *Tyler Esser* <notifications at github.com
>> <mailto:notifications at github.com>>
>> Date: Mon, Mar 12, 2018 at 5:18 PM
>> Subject: Re: [geodynamics/specfem-admins] Using Github's
>> protected branches (#1)
>> To: geodynamics/specfem-admins <"SPECFEM
>> Admins"@noreply.github.com <http://noreply.github.com>>
>> Cc: Tyler Esser <tjesser at ucdavis.edu
>> <mailto:tjesser at ucdavis.edu>>, Your activity
>> <your_activity at noreply.github.com
>> <mailto:your_activity at noreply.github.com>>
>>
>>
>> When you say the master branch is already protected, are you
>> referring to Github branch protection or are you referring to the
>> Github teams SPECFEM Admins
>> <https://github.com/orgs/geodynamics/teams/specfem-admins/members>
>> and SPECFEM Devs
>> <https://github.com/orgs/geodynamics/teams/specfem-developers/members>
>> being exclusive?
>>
>> As far as I can tell, the people in those teams have permission
>> to push, merge, force push, and/or delete any branch in the
>> SPECFEM repos. If I understand you correctly, that's fine because
>> everyone in those teams is already trusted. Is that correct?
>>
>> Tyler
>>
>> —
>> You are receiving this because you are subscribed to this thread.
>> Reply to this email directly, view it on GitHub
>> <https://github.com/orgs/geodynamics/teams/specfem-admins/discussions/1/comments/2>,
>> or mute the thread
>> <https://github.com/notifications/unsubscribe-auth/AOV9nyUcEMGqU9oUvZeIZYzYee5129W9ks5tdxBkgaJpZM4Sk3gA>.
>>
>>
>>
>> ---------- Forwarded message ----------
>> From: *daniel peter* <notifications at github.com
>> <mailto:notifications at github.com>>
>> Date: Tue, Mar 13, 2018 at 1:46 AM
>> Subject: Re: [geodynamics/specfem-admins] Using Github's
>> protected branches (#1)
>> To: geodynamics/specfem-admins <"SPECFEM
>> Admins"@noreply.github.com <http://noreply.github.com>>
>> Cc: Tyler Esser <tjesser at ucdavis.edu
>> <mailto:tjesser at ucdavis.edu>>, Author <author at noreply.github.com
>> <mailto:author at noreply.github.com>>
>>
>>
>> the master branch is protected by buildbot, which David set up.
>> every pull request goes through buildbot which will close it
>> automatically if the request is towards the master branch.
>>
>> and yes, only those team admins are allowed to push, merge, etc.
>> on the master/devel branch which is fine, as they probably know
>> what they're doing :)
>>
>> -daniel
>>
>> —
>> You are receiving this because you authored the thread.
>> Reply to this email directly, view it on GitHub
>> <https://github.com/orgs/geodynamics/teams/specfem-admins/discussions/1/comments/3>,
>> or mute the thread
>> <https://github.com/notifications/unsubscribe-auth/AOV9n6HUbKXXf0UdPXfPH9BEZBAhWekyks5td4d-gaJpZM4Sk3gA>.
>>
>>
>>
>> ---------- Forwarded message ----------
>> From: *Tyler Esser* <notifications at github.com
>> <mailto:notifications at github.com>>
>> Date: Wed, Mar 14, 2018 at 12:09 PM
>> Subject: Re: [geodynamics/specfem-admins] Using Github's
>> protected branches (#1)
>> To: geodynamics/specfem-admins <"SPECFEM
>> Admins"@noreply.github.com <http://noreply.github.com>>
>> Cc: Tyler Esser <tjesser at ucdavis.edu
>> <mailto:tjesser at ucdavis.edu>>, Your activity
>> <your_activity at noreply.github.com
>> <mailto:your_activity at noreply.github.com>>
>>
>>
>> There's been a few requests to join this discussion. Do you mind
>> if I copy this thread to the cig-seismo mailing list?
>>
>> Tyler
>>
>> —
>> You are receiving this because you are subscribed to this thread.
>> Reply to this email directly, view it on GitHub
>> <https://github.com/orgs/geodynamics/teams/specfem-admins/discussions/1/comments/4>,
>> or mute the thread
>> <https://github.com/notifications/unsubscribe-auth/AOV9nzlkfKRWyqhmOX1y-zJG6VFZKEobks5teWrngaJpZM4Sk3gA>.
>>
>>
>>
>> ---------- Forwarded message ----------
>> From: *daniel peter* <notifications at github.com
>> <mailto:notifications at github.com>>
>> Date: Wed, Mar 14, 2018 at 1:49 PM
>> Subject: Re: [geodynamics/specfem-admins] Using Github's
>> protected branches (#1)
>> To: geodynamics/specfem-admins <"SPECFEM
>> Admins"@noreply.github.com <http://noreply.github.com>>
>> Cc: Tyler Esser <tjesser at ucdavis.edu
>> <mailto:tjesser at ucdavis.edu>>, Author <author at noreply.github.com
>> <mailto:author at noreply.github.com>>
>>
>>
>> sure, let's see some more opinions :)
>>
>> —
>> You are receiving this because you authored the thread.
>> Reply to this email directly, view it on GitHub
>> <https://github.com/orgs/geodynamics/teams/specfem-admins/discussions/1/comments/5>,
>> or mute the thread
>> <https://github.com/notifications/unsubscribe-auth/AOV9n9qaWMmQTY0OsoY2qXDakvb2EIIlks5teYJngaJpZM4Sk3gA>.
>>
>>
>>
>>
>>
>> _______________________________________________
>> CIG-SEISMO mailing list
>> CIG-SEISMO at geodynamics.org <mailto:CIG-SEISMO at geodynamics.org>
>> http://lists.geodynamics.org/cgi-bin/mailman/listinfo/cig-seismo
>> <http://lists.geodynamics.org/cgi-bin/mailman/listinfo/cig-seismo>
>
> --
> Rene Gassmoeller
> http://www.math.colostate.edu/~gassmoel/
> <http://www.math.colostate.edu/%7Egassmoel/>
>
>
> _______________________________________________
> CIG-SEISMO mailing list
> CIG-SEISMO at geodynamics.org <mailto:CIG-SEISMO at geodynamics.org>
> http://lists.geodynamics.org/cgi-bin/mailman/listinfo/cig-seismo
> <http://lists.geodynamics.org/cgi-bin/mailman/listinfo/cig-seismo>
>
>
>
>
> _______________________________________________
> CIG-SEISMO mailing list
> CIG-SEISMO at geodynamics.org
> http://lists.geodynamics.org/cgi-bin/mailman/listinfo/cig-seismo
--
Rene Gassmoeller
http://www.math.colostate.edu/~gassmoel/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.geodynamics.org/pipermail/cig-seismo/attachments/20180314/2aa3a0ed/attachment-0001.html>
More information about the CIG-SEISMO
mailing list