GitHub Branch Protection Guide: Preventing Direct Commits to Main

Introduction

Branch protection rules are essential for maintaining code quality and preventing accidental or unauthorized changes to important branches like main. This guide will walk you through setting up branch protection rules in GitHub and ensuring they're properly enforced across your organization.

Setting Up Branch Protection Rules

Basic Branch Protection

Navigate to your repository on GitHub
Click on "Settings" in the top navigation bar
In the left sidebar, click on "Branches"
Under "Branch protection rules," click "Add rule"
In the "Branch name pattern" field, enter main (or your default branch name)
Check the following options:
- "Require a pull request before merging"
- "Require approvals" (set the number of required reviewers, typically at least 1)
- "Dismiss stale pull request approvals when new commits are pushed"
- "Require status checks to pass before merging"
- "Require branches to be up to date before merging"

Under "Rules applied to everyone including administrators", check "Do not allow bypassing the above settings"

Advanced Protection Settings

For stronger protection:

Enable "Include administrators" to apply rules to everyone
Check "Restrict who can push to matching branches" if you want only specific teams/people to merge PRs
Enable "Allow force pushes" only for specific people/teams if absolutely necessary

Enforcing Organization-Wide Branch Protection

To ensure consistent protection across all repositories:

Using Organization Repository Rules

Navigate to your GitHub organization
Click on "Settings" in the top navigation menu
In the left sidebar, click on "Repository rules"
Click "New rule"
Name your rule (e.g., "Main Branch Protection")
Under "Branch protections", configure the same settings as above
Set the rule to apply to:
- All repositories, or
- Repositories matching specific criteria (e.g., visibility, topics)
Click "Create rule"

Using GitHub Enterprise Policies (For Enterprise Accounts)

If you have GitHub Enterprise:

Go to your enterprise account settings
Navigate to "Policies" > "Repository"
Under "Repository policies", scroll to "Branch protection rules"
Enable "Require branch protection rules" and configure the default settings
Save your changes

Verifying Branch Protection

To ensure your protections are working correctly:

Try pushing directly to the main branch from a local repository
```
git checkout maingit commit -m "Test commit"git push
```
This should be rejected with an error message

Create a new branch, commit changes, and open a pull request
```
git checkout -b feature-branchgit commit -m "Test PR"
git push -u origin feature-branch
```
Then create a PR in the GitHub UI
Attempt to merge the PR without meeting requirements (this should be blocked)

Troubleshooting Common Issues

Settings not applying: Verify "Include administrators" is checked
Bypassed protections: Check that "Do not allow bypassing the above settings" is enabled
Repository-specific exceptions: Review organization rules for conflicts
Branch deletion issues: Enable "Restrict deletions" in branch protection settings

Best Practices

Protect all production branches (main, production, etc.)
Require at least one review for all PRs
Configure required status checks for CI/CD pipelines
Consider requiring signed commits for additional security
Regularly audit branch protection settings across repositories
Document your branch protection strategy for team reference

By implementing these protections, you'll help ensure code quality and prevent accidental deployments to critical branches.

PreviousConfiguring Signed Commits on Paradime with SSH Keys Nextdbt™ fundamentals

Last updated 14 hours ago

Was this helpful?