[CIG-SEISMO] Using Github Protected Branches

Jed Brown jed at jedbrown.org
Wed Mar 14 16:15:42 PDT 2018 

Merging in that mode is a fast-forward so protection doesn't block it
(for anyone authorized to push to the branch).

Dimitri Komatitsch <komatitsch at lma.cnrs-mrs.fr> writes:

> Hi all,
>
> Thanks for the discussion.
>
> I went to https://help.github.com/articles/about-protected-branches but 
> it is not clear to me how one then makes changes in the protected branch 
> (for instance to release a new version of the code by merging "devel" 
> into "master", which we do a few times a year). If that can still be 
> done very easily (if so, how?), then why not; if that becomes complex, 
> then it is likely too complex, at least for SPECFEM.
>
> Thanks,
> Best regards,
> Dimitri.
>
> On 03/14/2018 11:42 PM, Rene Gassmoeller wrote:
>> Hi all,
>> 
>> let me join in on this as one of the maintainers of the ASPECT mantle 
>> convection code. We had the branch protection on Github enabled for our 
>> master branch for several years now (in addition to the automatic tester 
>> that tests pull requests). There are two scenarios in which this can be 
>> helpful:
>> 
>> One of your project's developers (no admin, otherwise you are out of 
>> luck in any case) account is hacked. They have write access to the 
>> repository, but can not change their rights on github. Without a 
>> protected master branch they can force-push to that branch or more 
>> dangerously reset it and delete the complete project history. You would 
>> then need to restore it from a local copy somewhere (hopefully you have 
>> one). They can of course still merge bogus pull requests (unless you add 
>> the required status checks protection), but all of that can be reverted.
>> 
>> The other scenario does not even need evil intentions. Let's assume you 
>> are in a hurry to fix a bug and you do this on the master branch (you 
>> should be on a feature branch, but the next seminar is in 5 minutes and 
>> you can create the branch later). You do not finish the fix, but want to 
>> save the history so you push to your personal github repo for now to 
>> create the pull request later. 'git push origin master'. Unfortunately 
>> you did this on the cluster where you cloned the repository and you 
>> cloned from the main repository instead of your own, so you mess up the 
>> master branch. You walk away and your repo is in an unusable state until 
>> you return or somebody notices. Every user who updated in the meantime 
>> gets an unusable version, and worse, they will get a conflict unless you 
>> fix up the master branch with a new commit (instead of reset it) and 
>> keep the messed up commit in there.
>> 
>> Now I admit these cases need bad luck, but that can happen to anyone 
>> (even experienced admins). While we had no attempts to delete our master 
>> branch yet, people did accidentally upload branches to the main 
>> repository without realizing and having the branch protection on just 
>> gives us some extra peace of mind. Of course that is the decision of 
>> every project, but I personally feel a protected master branch should be 
>> included in the set of best practices.
>> 
>> Cheers,
>> 
>> Rene
>> 
>> 
>> On 03/14/2018 02:43 PM, Tyler Esser wrote:
>>> This conversation was originally started with the SPECFEM Admins 
>>> Github team. There were requests from other people to join the 
>>> discussion so we decided to post it to the mailing list.
>>>
>>>
>>> Tyler Esser
>>>
>>>
>>> ---------- Forwarded message ----------
>>> From: *Tyler Esser* <notifications at github.com 
>>> <mailto:notifications at github.com>>
>>> Date: Fri, Mar 9, 2018 at 1:05 PM
>>> Subject: [geodynamics/specfem-admins] Using Github's protected 
>>> branches (#1)
>>> To: geodynamics/specfem-admins <"SPECFEM Admins"@noreply.github.com 
>>> <http://noreply.github.com>>
>>> Cc: Tyler Esser <tjesser at ucdavis.edu <mailto:tjesser at ucdavis.edu>>, 
>>> Your activity <your_activity at noreply.github.com 
>>> <mailto:your_activity at noreply.github.com>>
>>>
>>>
>>> Hi SPECFEM admins,
>>>
>>> CIG recently had a discussion with a CIG project dev about protecting 
>>> branches from certain actions and discovered that Github has a 
>>> protected branch feature. The option seems to be a good general 
>>> practice and so I wanted to ask what you thought about turning it on 
>>> for SPECFEM master branches. Github documentation for the feature is 
>>> here: https://help.github.com/articles/about-protected-branches/ 
>>> <https://help.github.com/articles/about-protected-branches/>
>>>
>>> Mostly we were interested in preventing accidental deletion or 
>>> altering git history with force pushing, but there are other options 
>>> that may be worth using. See the attached picture.
>>>
>>> protectedbranches 
>>> <https://user-images.githubusercontent.com/15039903/37229838-3e206a58-239a-11e8-8849-4d53b31bb735.png>
>>>
>>> The Github team interface seemed the best way to contact you when 
>>> dealing with Github administration issues. Please let me know if you 
>>> would have preferred a different method.
>>>
>>> Tyler Esser
>>>
>>>>>> You are receiving this because you are subscribed to this thread.
>>> Reply to this email directly, view it on GitHub 
>>> <https://github.com/orgs/geodynamics/teams/specfem-admins/discussions/1>, 
>>> or mute the thread 
>>> <https://github.com/notifications/unsubscribe-auth/AOV9nzrbX2pJT4Ic82_OqHyMeMhIB0DGks5tcu6hgaJpZM4Sk3gA>.
>>>
>>>
>>>
>>> ---------- Forwarded message ----------
>>> From: *daniel peter* <notifications at github.com 
>>> <mailto:notifications at github.com>>
>>> Date: Fri, Mar 9, 2018 at 11:20 PM
>>> Subject: Re: [geodynamics/specfem-admins] Using Github's protected 
>>> branches (#1)
>>> To: geodynamics/specfem-admins <"SPECFEM Admins"@noreply.github.com 
>>> <http://noreply.github.com>>
>>> Cc: Tyler Esser <tjesser at ucdavis.edu <mailto:tjesser at ucdavis.edu>>, 
>>> Author <author at noreply.github.com <mailto:author at noreply.github.com>>
>>>
>>>
>>> Hi Tyler,
>>>
>>> probably David has a better answer, since he put most of this already 
>>> in place. I think we already protect the master branch in all SPECFEM 
>>> repos. no pull requests are allowed on master by users. only admins 
>>> are allowed to push/merge commits to it. so the most important 
>>> safeguards from above are already in place.
>>>
>>> as it seems to work pretty well so far for us, i don't see much need 
>>> for further restrictions.
>>>
>>> best wishes,
>>> daniel
>>>
>>>>>> You are receiving this because you authored the thread.
>>> Reply to this email directly, view it on GitHub 
>>> <https://github.com/orgs/geodynamics/teams/specfem-admins/discussions/1/comments/1>, 
>>> or mute the thread 
>>> <https://github.com/notifications/unsubscribe-auth/AOV9n0lH-Vma93h_RD2hoK0c6U4aI7Gaks5tc368gaJpZM4Sk3gA>.
>>>
>>>
>>>
>>> ---------- Forwarded message ----------
>>> From: *Tyler Esser* <notifications at github.com 
>>> <mailto:notifications at github.com>>
>>> Date: Mon, Mar 12, 2018 at 5:18 PM
>>> Subject: Re: [geodynamics/specfem-admins] Using Github's protected 
>>> branches (#1)
>>> To: geodynamics/specfem-admins <"SPECFEM Admins"@noreply.github.com 
>>> <http://noreply.github.com>>
>>> Cc: Tyler Esser <tjesser at ucdavis.edu <mailto:tjesser at ucdavis.edu>>, 
>>> Your activity <your_activity at noreply.github.com 
>>> <mailto:your_activity at noreply.github.com>>
>>>
>>>
>>> When you say the master branch is already protected, are you referring 
>>> to Github branch protection or are you referring to the Github teams 
>>> SPECFEM Admins 
>>> <https://github.com/orgs/geodynamics/teams/specfem-admins/members> and 
>>> SPECFEM Devs 
>>> <https://github.com/orgs/geodynamics/teams/specfem-developers/members> 
>>> being exclusive?
>>>
>>> As far as I can tell, the people in those teams have permission to 
>>> push, merge, force push, and/or delete any branch in the SPECFEM 
>>> repos. If I understand you correctly, that's fine because everyone in 
>>> those teams is already trusted. Is that correct?
>>>
>>> Tyler
>>>
>>>>>> You are receiving this because you are subscribed to this thread.
>>> Reply to this email directly, view it on GitHub 
>>> <https://github.com/orgs/geodynamics/teams/specfem-admins/discussions/1/comments/2>, 
>>> or mute the thread 
>>> <https://github.com/notifications/unsubscribe-auth/AOV9nyUcEMGqU9oUvZeIZYzYee5129W9ks5tdxBkgaJpZM4Sk3gA>.
>>>
>>>
>>>
>>> ---------- Forwarded message ----------
>>> From: *daniel peter* <notifications at github.com 
>>> <mailto:notifications at github.com>>
>>> Date: Tue, Mar 13, 2018 at 1:46 AM
>>> Subject: Re: [geodynamics/specfem-admins] Using Github's protected 
>>> branches (#1)
>>> To: geodynamics/specfem-admins <"SPECFEM Admins"@noreply.github.com 
>>> <http://noreply.github.com>>
>>> Cc: Tyler Esser <tjesser at ucdavis.edu <mailto:tjesser at ucdavis.edu>>, 
>>> Author <author at noreply.github.com <mailto:author at noreply.github.com>>
>>>
>>>
>>> the master branch is protected by buildbot, which David set up. every 
>>> pull request goes through buildbot which will close it automatically 
>>> if the request is towards the master branch.
>>>
>>> and yes, only those team admins are allowed to push, merge, etc. on 
>>> the master/devel branch which is fine, as they probably know what 
>>> they're doing :)
>>>
>>> -daniel
>>>
>>>>>> You are receiving this because you authored the thread.
>>> Reply to this email directly, view it on GitHub 
>>> <https://github.com/orgs/geodynamics/teams/specfem-admins/discussions/1/comments/3>, 
>>> or mute the thread 
>>> <https://github.com/notifications/unsubscribe-auth/AOV9n6HUbKXXf0UdPXfPH9BEZBAhWekyks5td4d-gaJpZM4Sk3gA>.
>>>
>>>
>>>
>>> ---------- Forwarded message ----------
>>> From: *Tyler Esser* <notifications at github.com 
>>> <mailto:notifications at github.com>>
>>> Date: Wed, Mar 14, 2018 at 12:09 PM
>>> Subject: Re: [geodynamics/specfem-admins] Using Github's protected 
>>> branches (#1)
>>> To: geodynamics/specfem-admins <"SPECFEM Admins"@noreply.github.com 
>>> <http://noreply.github.com>>
>>> Cc: Tyler Esser <tjesser at ucdavis.edu <mailto:tjesser at ucdavis.edu>>, 
>>> Your activity <your_activity at noreply.github.com 
>>> <mailto:your_activity at noreply.github.com>>
>>>
>>>
>>> There's been a few requests to join this discussion. Do you mind if I 
>>> copy this thread to the cig-seismo mailing list?
>>>
>>> Tyler
>>>
>>>>>> You are receiving this because you are subscribed to this thread.
>>> Reply to this email directly, view it on GitHub 
>>> <https://github.com/orgs/geodynamics/teams/specfem-admins/discussions/1/comments/4>, 
>>> or mute the thread 
>>> <https://github.com/notifications/unsubscribe-auth/AOV9nzlkfKRWyqhmOX1y-zJG6VFZKEobks5teWrngaJpZM4Sk3gA>.
>>>
>>>
>>>
>>> ---------- Forwarded message ----------
>>> From: *daniel peter* <notifications at github.com 
>>> <mailto:notifications at github.com>>
>>> Date: Wed, Mar 14, 2018 at 1:49 PM
>>> Subject: Re: [geodynamics/specfem-admins] Using Github's protected 
>>> branches (#1)
>>> To: geodynamics/specfem-admins <"SPECFEM Admins"@noreply.github.com 
>>> <http://noreply.github.com>>
>>> Cc: Tyler Esser <tjesser at ucdavis.edu <mailto:tjesser at ucdavis.edu>>, 
>>> Author <author at noreply.github.com <mailto:author at noreply.github.com>>
>>>
>>>
>>> sure, let's see some more opinions :)
>>>
>>>>>> You are receiving this because you authored the thread.
>>> Reply to this email directly, view it on GitHub 
>>> <https://github.com/orgs/geodynamics/teams/specfem-admins/discussions/1/comments/5>, 
>>> or mute the thread 
>>> <https://github.com/notifications/unsubscribe-auth/AOV9n9qaWMmQTY0OsoY2qXDakvb2EIIlks5teYJngaJpZM4Sk3gA>.
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> CIG-SEISMO mailing list
>>> CIG-SEISMO at geodynamics.org
>>> http://lists.geodynamics.org/cgi-bin/mailman/listinfo/cig-seismo
>> 
>> -- 
>> Rene Gassmoeller
>> http://www.math.colostate.edu/~gassmoel/
>> 
>> 
>> 
>> _______________________________________________
>> CIG-SEISMO mailing list
>> CIG-SEISMO at geodynamics.org
>> http://lists.geodynamics.org/cgi-bin/mailman/listinfo/cig-seismo
>> 
>
> -- 
> Dimitri Komatitsch, CNRS Research Director (DR CNRS)
> Laboratory of Mechanics and Acoustics, Marseille, France
> http://komatitsch.free.fr
> _______________________________________________
> CIG-SEISMO mailing list
> CIG-SEISMO at geodynamics.org
> http://lists.geodynamics.org/cgi-bin/mailman/listinfo/cig-seismo

More information about the CIG-SEISMO mailing list