[CIG-SEISMO] Using Github Protected Branches
Jed Brown
jed at jedbrown.org
Wed Mar 14 16:15:42 PDT 2018
Merging in that mode is a fast-forward so protection doesn't block it
(for anyone authorized to push to the branch).
Dimitri Komatitsch <komatitsch at lma.cnrs-mrs.fr> writes:
> Hi all,
>
> Thanks for the discussion.
>
> I went to https://help.github.com/articles/about-protected-branches but
> it is not clear to me how one then makes changes in the protected branch
> (for instance to release a new version of the code by merging "devel"
> into "master", which we do a few times a year). If that can still be
> done very easily (if so, how?), then why not; if that becomes complex,
> then it is likely too complex, at least for SPECFEM.
>
> Thanks,
> Best regards,
> Dimitri.
>
> On 03/14/2018 11:42 PM, Rene Gassmoeller wrote:
>> Hi all,
>>
>> let me join in on this as one of the maintainers of the ASPECT mantle
>> convection code. We had the branch protection on Github enabled for our
>> master branch for several years now (in addition to the automatic tester
>> that tests pull requests). There are two scenarios in which this can be
>> helpful:
>>
>> One of your project's developers (no admin, otherwise you are out of
>> luck in any case) account is hacked. They have write access to the
>> repository, but can not change their rights on github. Without a
>> protected master branch they can force-push to that branch or more
>> dangerously reset it and delete the complete project history. You would
>> then need to restore it from a local copy somewhere (hopefully you have
>> one). They can of course still merge bogus pull requests (unless you add
>> the required status checks protection), but all of that can be reverted.
>>
>> The other scenario does not even need evil intentions. Let's assume you
>> are in a hurry to fix a bug and you do this on the master branch (you
>> should be on a feature branch, but the next seminar is in 5 minutes and
>> you can create the branch later). You do not finish the fix, but want to
>> save the history so you push to your personal github repo for now to
>> create the pull request later. 'git push origin master'. Unfortunately
>> you did this on the cluster where you cloned the repository and you
>> cloned from the main repository instead of your own, so you mess up the
>> master branch. You walk away and your repo is in an unusable state until
>> you return or somebody notices. Every user who updated in the meantime
>> gets an unusable version, and worse, they will get a conflict unless you
>> fix up the master branch with a new commit (instead of reset it) and
>> keep the messed up commit in there.
>>
>> Now I admit these cases need bad luck, but that can happen to anyone
>> (even experienced admins). While we had no attempts to delete our master
>> branch yet, people did accidentally upload branches to the main
>> repository without realizing and having the branch protection on just
>> gives us some extra peace of mind. Of course that is the decision of
>> every project, but I personally feel a protected master branch should be
>> included in the set of best practices.
>>
>> Cheers,
>>
>> Rene
>>
>>
>> On 03/14/2018 02:43 PM, Tyler Esser wrote:
>>> This conversation was originally started with the SPECFEM Admins
>>> Github team. There were requests from other people to join the
>>> discussion so we decided to post it to the mailing list.
>>>
>>>
>>> Tyler Esser
>>>
>>>
>>> ---------- Forwarded message ----------
>>> From: *Tyler Esser* <notifications at github.com
>>> <mailto:notifications at github.com>>
>>> Date: Fri, Mar 9, 2018 at 1:05 PM
>>> Subject: [geodynamics/specfem-admins] Using Github's protected
>>> branches (#1)
>>> To: geodynamics/specfem-admins <"SPECFEM Admins"@noreply.github.com
>>> <http://noreply.github.com>>
>>> Cc: Tyler Esser <tjesser at ucdavis.edu <mailto:tjesser at ucdavis.edu>>,
>>> Your activity <your_activity at noreply.github.com
>>> <mailto:your_activity at noreply.github.com>>
>>>
>>>
>>> Hi SPECFEM admins,
>>>
>>> CIG recently had a discussion with a CIG project dev about protecting
>>> branches from certain actions and discovered that Github has a
>>> protected branch feature. The option seems to be a good general
>>> practice and so I wanted to ask what you thought about turning it on
>>> for SPECFEM master branches. Github documentation for the feature is
>>> here: https://help.github.com/articles/about-protected-branches/
>>> <https://help.github.com/articles/about-protected-branches/>
>>>
>>> Mostly we were interested in preventing accidental deletion or
>>> altering git history with force pushing, but there are other options
>>> that may be worth using. See the attached picture.
>>>
>>> protectedbranches
>>> <https://user-images.githubusercontent.com/15039903/37229838-3e206a58-239a-11e8-8849-4d53b31bb735.png>
>>>
>>> The Github team interface seemed the best way to contact you when
>>> dealing with Github administration issues. Please let me know if you
>>> would have preferred a different method.
>>>
>>> Tyler Esser
>>>
>>> —
>>> You are receiving this because you are subscribed to this thread.
>>> Reply to this email directly, view it on GitHub
>>> <https://github.com/orgs/geodynamics/teams/specfem-admins/discussions/1>,
>>> or mute the thread
>>> <https://github.com/notifications/unsubscribe-auth/AOV9nzrbX2pJT4Ic82_OqHyMeMhIB0DGks5tcu6hgaJpZM4Sk3gA>.
>>>
>>>
>>>
>>> ---------- Forwarded message ----------
>>> From: *daniel peter* <notifications at github.com
>>> <mailto:notifications at github.com>>
>>> Date: Fri, Mar 9, 2018 at 11:20 PM
>>> Subject: Re: [geodynamics/specfem-admins] Using Github's protected
>>> branches (#1)
>>> To: geodynamics/specfem-admins <"SPECFEM Admins"@noreply.github.com
>>> <http://noreply.github.com>>
>>> Cc: Tyler Esser <tjesser at ucdavis.edu <mailto:tjesser at ucdavis.edu>>,
>>> Author <author at noreply.github.com <mailto:author at noreply.github.com>>
>>>
>>>
>>> Hi Tyler,
>>>
>>> probably David has a better answer, since he put most of this already
>>> in place. I think we already protect the master branch in all SPECFEM
>>> repos. no pull requests are allowed on master by users. only admins
>>> are allowed to push/merge commits to it. so the most important
>>> safeguards from above are already in place.
>>>
>>> as it seems to work pretty well so far for us, i don't see much need
>>> for further restrictions.
>>>
>>> best wishes,
>>> daniel
>>>
>>> —
>>> You are receiving this because you authored the thread.
>>> Reply to this email directly, view it on GitHub
>>> <https://github.com/orgs/geodynamics/teams/specfem-admins/discussions/1/comments/1>,
>>> or mute the thread
>>> <https://github.com/notifications/unsubscribe-auth/AOV9n0lH-Vma93h_RD2hoK0c6U4aI7Gaks5tc368gaJpZM4Sk3gA>.
>>>
>>>
>>>
>>> ---------- Forwarded message ----------
>>> From: *Tyler Esser* <notifications at github.com
>>> <mailto:notifications at github.com>>
>>> Date: Mon, Mar 12, 2018 at 5:18 PM
>>> Subject: Re: [geodynamics/specfem-admins] Using Github's protected
>>> branches (#1)
>>> To: geodynamics/specfem-admins <"SPECFEM Admins"@noreply.github.com
>>> <http://noreply.github.com>>
>>> Cc: Tyler Esser <tjesser at ucdavis.edu <mailto:tjesser at ucdavis.edu>>,
>>> Your activity <your_activity at noreply.github.com
>>> <mailto:your_activity at noreply.github.com>>
>>>
>>>
>>> When you say the master branch is already protected, are you referring
>>> to Github branch protection or are you referring to the Github teams
>>> SPECFEM Admins
>>> <https://github.com/orgs/geodynamics/teams/specfem-admins/members> and
>>> SPECFEM Devs
>>> <https://github.com/orgs/geodynamics/teams/specfem-developers/members>
>>> being exclusive?
>>>
>>> As far as I can tell, the people in those teams have permission to
>>> push, merge, force push, and/or delete any branch in the SPECFEM
>>> repos. If I understand you correctly, that's fine because everyone in
>>> those teams is already trusted. Is that correct?
>>>
>>> Tyler
>>>
>>> —
>>> You are receiving this because you are subscribed to this thread.
>>> Reply to this email directly, view it on GitHub
>>> <https://github.com/orgs/geodynamics/teams/specfem-admins/discussions/1/comments/2>,
>>> or mute the thread
>>> <https://github.com/notifications/unsubscribe-auth/AOV9nyUcEMGqU9oUvZeIZYzYee5129W9ks5tdxBkgaJpZM4Sk3gA>.
>>>
>>>
>>>
>>> ---------- Forwarded message ----------
>>> From: *daniel peter* <notifications at github.com
>>> <mailto:notifications at github.com>>
>>> Date: Tue, Mar 13, 2018 at 1:46 AM
>>> Subject: Re: [geodynamics/specfem-admins] Using Github's protected
>>> branches (#1)
>>> To: geodynamics/specfem-admins <"SPECFEM Admins"@noreply.github.com
>>> <http://noreply.github.com>>
>>> Cc: Tyler Esser <tjesser at ucdavis.edu <mailto:tjesser at ucdavis.edu>>,
>>> Author <author at noreply.github.com <mailto:author at noreply.github.com>>
>>>
>>>
>>> the master branch is protected by buildbot, which David set up. every
>>> pull request goes through buildbot which will close it automatically
>>> if the request is towards the master branch.
>>>
>>> and yes, only those team admins are allowed to push, merge, etc. on
>>> the master/devel branch which is fine, as they probably know what
>>> they're doing :)
>>>
>>> -daniel
>>>
>>> —
>>> You are receiving this because you authored the thread.
>>> Reply to this email directly, view it on GitHub
>>> <https://github.com/orgs/geodynamics/teams/specfem-admins/discussions/1/comments/3>,
>>> or mute the thread
>>> <https://github.com/notifications/unsubscribe-auth/AOV9n6HUbKXXf0UdPXfPH9BEZBAhWekyks5td4d-gaJpZM4Sk3gA>.
>>>
>>>
>>>
>>> ---------- Forwarded message ----------
>>> From: *Tyler Esser* <notifications at github.com
>>> <mailto:notifications at github.com>>
>>> Date: Wed, Mar 14, 2018 at 12:09 PM
>>> Subject: Re: [geodynamics/specfem-admins] Using Github's protected
>>> branches (#1)
>>> To: geodynamics/specfem-admins <"SPECFEM Admins"@noreply.github.com
>>> <http://noreply.github.com>>
>>> Cc: Tyler Esser <tjesser at ucdavis.edu <mailto:tjesser at ucdavis.edu>>,
>>> Your activity <your_activity at noreply.github.com
>>> <mailto:your_activity at noreply.github.com>>
>>>
>>>
>>> There's been a few requests to join this discussion. Do you mind if I
>>> copy this thread to the cig-seismo mailing list?
>>>
>>> Tyler
>>>
>>> —
>>> You are receiving this because you are subscribed to this thread.
>>> Reply to this email directly, view it on GitHub
>>> <https://github.com/orgs/geodynamics/teams/specfem-admins/discussions/1/comments/4>,
>>> or mute the thread
>>> <https://github.com/notifications/unsubscribe-auth/AOV9nzlkfKRWyqhmOX1y-zJG6VFZKEobks5teWrngaJpZM4Sk3gA>.
>>>
>>>
>>>
>>> ---------- Forwarded message ----------
>>> From: *daniel peter* <notifications at github.com
>>> <mailto:notifications at github.com>>
>>> Date: Wed, Mar 14, 2018 at 1:49 PM
>>> Subject: Re: [geodynamics/specfem-admins] Using Github's protected
>>> branches (#1)
>>> To: geodynamics/specfem-admins <"SPECFEM Admins"@noreply.github.com
>>> <http://noreply.github.com>>
>>> Cc: Tyler Esser <tjesser at ucdavis.edu <mailto:tjesser at ucdavis.edu>>,
>>> Author <author at noreply.github.com <mailto:author at noreply.github.com>>
>>>
>>>
>>> sure, let's see some more opinions :)
>>>
>>> —
>>> You are receiving this because you authored the thread.
>>> Reply to this email directly, view it on GitHub
>>> <https://github.com/orgs/geodynamics/teams/specfem-admins/discussions/1/comments/5>,
>>> or mute the thread
>>> <https://github.com/notifications/unsubscribe-auth/AOV9n9qaWMmQTY0OsoY2qXDakvb2EIIlks5teYJngaJpZM4Sk3gA>.
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> CIG-SEISMO mailing list
>>> CIG-SEISMO at geodynamics.org
>>> http://lists.geodynamics.org/cgi-bin/mailman/listinfo/cig-seismo
>>
>> --
>> Rene Gassmoeller
>> http://www.math.colostate.edu/~gassmoel/
>>
>>
>>
>> _______________________________________________
>> CIG-SEISMO mailing list
>> CIG-SEISMO at geodynamics.org
>> http://lists.geodynamics.org/cgi-bin/mailman/listinfo/cig-seismo
>>
>
> --
> Dimitri Komatitsch, CNRS Research Director (DR CNRS)
> Laboratory of Mechanics and Acoustics, Marseille, France
> http://komatitsch.free.fr
> _______________________________________________
> CIG-SEISMO mailing list
> CIG-SEISMO at geodynamics.org
> http://lists.geodynamics.org/cgi-bin/mailman/listinfo/cig-seismo
More information about the CIG-SEISMO
mailing list