[CIG-SEISMO] Using Github Protected Branches
Lorraine Hwang
ljhwang at ucdavis.edu
Thu Mar 15 10:35:58 PDT 2018
Great! We do mirror the repo but it is best that we play it safe.
thanks everyone for the discussion.
Best,
-Lorraine
*****************************
Lorraine Hwang, Ph.D.
Associate Director, CIG
530.752.3656
> On Mar 15, 2018, at 9:52 AM, Dimitri Komatitsch <komatitsch at lma.cnrs-mrs.fr> wrote:
>
>
> Hi David, Hi all,
>
> Thanks! Very useful. Let us do it then I guess, if everybody agrees.
>
> Thanks,
> Best regards,
> Dimitri.
>
> On 03/15/2018 04:28 PM, David J. Luet wrote:
>> It looks like we can protect the branch master without affecting our workflow. For the most part, we have system in place to prevent people from modifying master, but we don't have a system to prevent a member of the "SPECFEM Admins" or "SPECFEM Developers" team to force push to the master branch. But all the branch protection does is protect us from one of the admins doing "git push --force" after trying, and failing, a regular, fast-forward "git push". Unless we want to remove the ability of the admins to push to the master branch, which would require a change in our workflow.
>> The bottom line is that I think there is no harm in protecting master. It also makes sense to protect the branch devel against force-pushes. But buildbot rejects those anyway, but again not from the admins.
>> David
>> On 3/14/18, 7:27 PM, "CIG-SEISMO on behalf of Jed Brown" <cig-seismo-bounces at geodynamics.org on behalf of jed at jedbrown.org> wrote:
>> Merging in that mode is a fast-forward so protection doesn't block it
>> (for anyone authorized to push to the branch).
>> Dimitri Komatitsch <komatitsch at lma.cnrs-mrs.fr> writes:
>> > Hi all,
>> >
>> > Thanks for the discussion.
>> >
>> > I went to https://help.github.com/articles/about-protected-branches but
>> > it is not clear to me how one then makes changes in the protected branch
>> > (for instance to release a new version of the code by merging "devel"
>> > into "master", which we do a few times a year). If that can still be
>> > done very easily (if so, how?), then why not; if that becomes complex,
>> > then it is likely too complex, at least for SPECFEM.
>> >
>> > Thanks,
>> > Best regards,
>> > Dimitri.
>> >
>> > On 03/14/2018 11:42 PM, Rene Gassmoeller wrote:
>> >> Hi all,
>> >>
>> >> let me join in on this as one of the maintainers of the ASPECT mantle
>> >> convection code. We had the branch protection on Github enabled for our
>> >> master branch for several years now (in addition to the automatic tester
>> >> that tests pull requests). There are two scenarios in which this can be
>> >> helpful:
>> >>
>> >> One of your project's developers (no admin, otherwise you are out of
>> >> luck in any case) account is hacked. They have write access to the
>> >> repository, but can not change their rights on github. Without a
>> >> protected master branch they can force-push to that branch or more
>> >> dangerously reset it and delete the complete project history. You would
>> >> then need to restore it from a local copy somewhere (hopefully you have
>> >> one). They can of course still merge bogus pull requests (unless you add
>> >> the required status checks protection), but all of that can be reverted.
>> >>
>> >> The other scenario does not even need evil intentions. Let's assume you
>> >> are in a hurry to fix a bug and you do this on the master branch (you
>> >> should be on a feature branch, but the next seminar is in 5 minutes and
>> >> you can create the branch later). You do not finish the fix, but want to
>> >> save the history so you push to your personal github repo for now to
>> >> create the pull request later. 'git push origin master'. Unfortunately
>> >> you did this on the cluster where you cloned the repository and you
>> >> cloned from the main repository instead of your own, so you mess up the
>> >> master branch. You walk away and your repo is in an unusable state until
>> >> you return or somebody notices. Every user who updated in the meantime
>> >> gets an unusable version, and worse, they will get a conflict unless you
>> >> fix up the master branch with a new commit (instead of reset it) and
>> >> keep the messed up commit in there.
>> >>
>> >> Now I admit these cases need bad luck, but that can happen to anyone
>> >> (even experienced admins). While we had no attempts to delete our master
>> >> branch yet, people did accidentally upload branches to the main
>> >> repository without realizing and having the branch protection on just
>> >> gives us some extra peace of mind. Of course that is the decision of
>> >> every project, but I personally feel a protected master branch should be
>> >> included in the set of best practices.
>> >>
>> >> Cheers,
>> >>
>> >> Rene
>> >>
>> >>
>> >> On 03/14/2018 02:43 PM, Tyler Esser wrote:
>> >>> This conversation was originally started with the SPECFEM Admins
>> >>> Github team. There were requests from other people to join the
>> >>> discussion so we decided to post it to the mailing list.
>> >>>
>> >>>
>> >>> Tyler Esser
>> >>>
>> >>>
>> >>> ---------- Forwarded message ----------
>> >>> From: *Tyler Esser* <notifications at github.com
>> >>> <mailto:notifications at github.com>>
>> >>> Date: Fri, Mar 9, 2018 at 1:05 PM
>> >>> Subject: [geodynamics/specfem-admins] Using Github's protected
>> >>> branches (#1)
>> >>> To: geodynamics/specfem-admins <"SPECFEM Admins"@noreply.github.com
>> >>> <http://noreply.github.com>>
>> >>> Cc: Tyler Esser <tjesser at ucdavis.edu <mailto:tjesser at ucdavis.edu>>,
>> >>> Your activity <your_activity at noreply.github.com
>> >>> <mailto:your_activity at noreply.github.com>>
>> >>>
>> >>>
>> >>> Hi SPECFEM admins,
>> >>>
>> >>> CIG recently had a discussion with a CIG project dev about protecting
>> >>> branches from certain actions and discovered that Github has a
>> >>> protected branch feature. The option seems to be a good general
>> >>> practice and so I wanted to ask what you thought about turning it on
>> >>> for SPECFEM master branches. Github documentation for the feature is
>> >>> here: https://help.github.com/articles/about-protected-branches/
>> >>> <https://help.github.com/articles/about-protected-branches/>
>> >>>
>> >>> Mostly we were interested in preventing accidental deletion or
>> >>> altering git history with force pushing, but there are other options
>> >>> that may be worth using. See the attached picture.
>> >>>
>> >>> protectedbranches
>> >>> <https://user-images.githubusercontent.com/15039903/37229838-3e206a58-239a-11e8-8849-4d53b31bb735.png>
>> >>>
>> >>> The Github team interface seemed the best way to contact you when
>> >>> dealing with Github administration issues. Please let me know if you
>> >>> would have preferred a different method.
>> >>>
>> >>> Tyler Esser
>> >>>
>> >>> —
>> >>> You are receiving this because you are subscribed to this thread.
>> >>> Reply to this email directly, view it on GitHub
>> >>> <https://github.com/orgs/geodynamics/teams/specfem-admins/discussions/1>,
>> >>> or mute the thread
>> >>> <https://github.com/notifications/unsubscribe-auth/AOV9nzrbX2pJT4Ic82_OqHyMeMhIB0DGks5tcu6hgaJpZM4Sk3gA>.
>> >>>
>> >>>
>> >>>
>> >>> ---------- Forwarded message ----------
>> >>> From: *daniel peter* <notifications at github.com
>> >>> <mailto:notifications at github.com>>
>> >>> Date: Fri, Mar 9, 2018 at 11:20 PM
>> >>> Subject: Re: [geodynamics/specfem-admins] Using Github's protected
>> >>> branches (#1)
>> >>> To: geodynamics/specfem-admins <"SPECFEM Admins"@noreply.github.com
>> >>> <http://noreply.github.com>>
>> >>> Cc: Tyler Esser <tjesser at ucdavis.edu <mailto:tjesser at ucdavis.edu>>,
>> >>> Author <author at noreply.github.com <mailto:author at noreply.github.com>>
>> >>>
>> >>>
>> >>> Hi Tyler,
>> >>>
>> >>> probably David has a better answer, since he put most of this already
>> >>> in place. I think we already protect the master branch in all SPECFEM
>> >>> repos. no pull requests are allowed on master by users. only admins
>> >>> are allowed to push/merge commits to it. so the most important
>> >>> safeguards from above are already in place.
>> >>>
>> >>> as it seems to work pretty well so far for us, i don't see much need
>> >>> for further restrictions.
>> >>>
>> >>> best wishes,
>> >>> daniel
>> >>>
>> >>> —
>> >>> You are receiving this because you authored the thread.
>> >>> Reply to this email directly, view it on GitHub
>> >>> <https://github.com/orgs/geodynamics/teams/specfem-admins/discussions/1/comments/1>,
>> >>> or mute the thread
>> >>> <https://github.com/notifications/unsubscribe-auth/AOV9n0lH-Vma93h_RD2hoK0c6U4aI7Gaks5tc368gaJpZM4Sk3gA>.
>> >>>
>> >>>
>> >>>
>> >>> ---------- Forwarded message ----------
>> >>> From: *Tyler Esser* <notifications at github.com
>> >>> <mailto:notifications at github.com>>
>> >>> Date: Mon, Mar 12, 2018 at 5:18 PM
>> >>> Subject: Re: [geodynamics/specfem-admins] Using Github's protected
>> >>> branches (#1)
>> >>> To: geodynamics/specfem-admins <"SPECFEM Admins"@noreply.github.com
>> >>> <http://noreply.github.com>>
>> >>> Cc: Tyler Esser <tjesser at ucdavis.edu <mailto:tjesser at ucdavis.edu>>,
>> >>> Your activity <your_activity at noreply.github.com
>> >>> <mailto:your_activity at noreply.github.com>>
>> >>>
>> >>>
>> >>> When you say the master branch is already protected, are you referring
>> >>> to Github branch protection or are you referring to the Github teams
>> >>> SPECFEM Admins
>> >>> <https://github.com/orgs/geodynamics/teams/specfem-admins/members> and
>> >>> SPECFEM Devs
>> >>> <https://github.com/orgs/geodynamics/teams/specfem-developers/members>
>> >>> being exclusive?
>> >>>
>> >>> As far as I can tell, the people in those teams have permission to
>> >>> push, merge, force push, and/or delete any branch in the SPECFEM
>> >>> repos. If I understand you correctly, that's fine because everyone in
>> >>> those teams is already trusted. Is that correct?
>> >>>
>> >>> Tyler
>> >>>
>> >>> —
>> >>> You are receiving this because you are subscribed to this thread.
>> >>> Reply to this email directly, view it on GitHub
>> >>> <https://github.com/orgs/geodynamics/teams/specfem-admins/discussions/1/comments/2>,
>> >>> or mute the thread
>> >>> <https://github.com/notifications/unsubscribe-auth/AOV9nyUcEMGqU9oUvZeIZYzYee5129W9ks5tdxBkgaJpZM4Sk3gA>.
>> >>>
>> >>>
>> >>>
>> >>> ---------- Forwarded message ----------
>> >>> From: *daniel peter* <notifications at github.com
>> >>> <mailto:notifications at github.com>>
>> >>> Date: Tue, Mar 13, 2018 at 1:46 AM
>> >>> Subject: Re: [geodynamics/specfem-admins] Using Github's protected
>> >>> branches (#1)
>> >>> To: geodynamics/specfem-admins <"SPECFEM Admins"@noreply.github.com
>> >>> <http://noreply.github.com>>
>> >>> Cc: Tyler Esser <tjesser at ucdavis.edu <mailto:tjesser at ucdavis.edu>>,
>> >>> Author <author at noreply.github.com <mailto:author at noreply.github.com>>
>> >>>
>> >>>
>> >>> the master branch is protected by buildbot, which David set up. every
>> >>> pull request goes through buildbot which will close it automatically
>> >>> if the request is towards the master branch.
>> >>>
>> >>> and yes, only those team admins are allowed to push, merge, etc. on
>> >>> the master/devel branch which is fine, as they probably know what
>> >>> they're doing :)
>> >>>
>> >>> -daniel
>> >>>
>> >>> —
>> >>> You are receiving this because you authored the thread.
>> >>> Reply to this email directly, view it on GitHub
>> >>> <https://github.com/orgs/geodynamics/teams/specfem-admins/discussions/1/comments/3>,
>> >>> or mute the thread
>> >>> <https://github.com/notifications/unsubscribe-auth/AOV9n6HUbKXXf0UdPXfPH9BEZBAhWekyks5td4d-gaJpZM4Sk3gA>.
>> >>>
>> >>>
>> >>>
>> >>> ---------- Forwarded message ----------
>> >>> From: *Tyler Esser* <notifications at github.com
>> >>> <mailto:notifications at github.com>>
>> >>> Date: Wed, Mar 14, 2018 at 12:09 PM
>> >>> Subject: Re: [geodynamics/specfem-admins] Using Github's protected
>> >>> branches (#1)
>> >>> To: geodynamics/specfem-admins <"SPECFEM Admins"@noreply.github.com
>> >>> <http://noreply.github.com>>
>> >>> Cc: Tyler Esser <tjesser at ucdavis.edu <mailto:tjesser at ucdavis.edu>>,
>> >>> Your activity <your_activity at noreply.github.com
>> >>> <mailto:your_activity at noreply.github.com>>
>> >>>
>> >>>
>> >>> There's been a few requests to join this discussion. Do you mind if I
>> >>> copy this thread to the cig-seismo mailing list?
>> >>>
>> >>> Tyler
>> >>>
>> >>> —
>> >>> You are receiving this because you are subscribed to this thread.
>> >>> Reply to this email directly, view it on GitHub
>> >>> <https://github.com/orgs/geodynamics/teams/specfem-admins/discussions/1/comments/4>,
>> >>> or mute the thread
>> >>> <https://github.com/notifications/unsubscribe-auth/AOV9nzlkfKRWyqhmOX1y-zJG6VFZKEobks5teWrngaJpZM4Sk3gA>.
>> >>>
>> >>>
>> >>>
>> >>> ---------- Forwarded message ----------
>> >>> From: *daniel peter* <notifications at github.com
>> >>> <mailto:notifications at github.com>>
>> >>> Date: Wed, Mar 14, 2018 at 1:49 PM
>> >>> Subject: Re: [geodynamics/specfem-admins] Using Github's protected
>> >>> branches (#1)
>> >>> To: geodynamics/specfem-admins <"SPECFEM Admins"@noreply.github.com
>> >>> <http://noreply.github.com>>
>> >>> Cc: Tyler Esser <tjesser at ucdavis.edu <mailto:tjesser at ucdavis.edu>>,
>> >>> Author <author at noreply.github.com <mailto:author at noreply.github.com>>
>> >>>
>> >>>
>> >>> sure, let's see some more opinions :)
>> >>>
>> >>> —
>> >>> You are receiving this because you authored the thread.
>> >>> Reply to this email directly, view it on GitHub
>> >>> <https://github.com/orgs/geodynamics/teams/specfem-admins/discussions/1/comments/5>,
>> >>> or mute the thread
>> >>> <https://github.com/notifications/unsubscribe-auth/AOV9n9qaWMmQTY0OsoY2qXDakvb2EIIlks5teYJngaJpZM4Sk3gA>.
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>> _______________________________________________
>> >>> CIG-SEISMO mailing list
>> >>> CIG-SEISMO at geodynamics.org
>> >>> http://lists.geodynamics.org/cgi-bin/mailman/listinfo/cig-seismo
>> >>
>> >> --
>> >> Rene Gassmoeller
>> >> http://www.math.colostate.edu/~gassmoel/
>> >>
>> >>
>> >>
>> >> _______________________________________________
>> >> CIG-SEISMO mailing list
>> >> CIG-SEISMO at geodynamics.org
>> >> http://lists.geodynamics.org/cgi-bin/mailman/listinfo/cig-seismo
>> >>
>> >
>> > --
>> > Dimitri Komatitsch, CNRS Research Director (DR CNRS)
>> > Laboratory of Mechanics and Acoustics, Marseille, France
>> > http://komatitsch.free.fr
>> > _______________________________________________
>> > CIG-SEISMO mailing list
>> > CIG-SEISMO at geodynamics.org
>> > http://lists.geodynamics.org/cgi-bin/mailman/listinfo/cig-seismo
>> _______________________________________________
>> CIG-SEISMO mailing list
>> CIG-SEISMO at geodynamics.org
>> http://lists.geodynamics.org/cgi-bin/mailman/listinfo/cig-seismo
>
> --
> Dimitri Komatitsch, CNRS Research Director (DR CNRS)
> Laboratory of Mechanics and Acoustics, Marseille, France
> http://komatitsch.free.fr
> _______________________________________________
> CIG-SEISMO mailing list
> CIG-SEISMO at geodynamics.org
> http://lists.geodynamics.org/cgi-bin/mailman/listinfo/cig-seismo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.geodynamics.org/pipermail/cig-seismo/attachments/20180315/aa0227d8/attachment-0001.html>
More information about the CIG-SEISMO
mailing list