Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can we give push access while still restricting who can merge to master? #58

Closed
galargh opened this issue Aug 1, 2022 · 6 comments
Closed

Can we give push access while still restricting who can merge to master? #58

galargh opened this issue Aug 1, 2022 · 6 comments

Comments

@galargh
Copy link
Member

galargh commented Aug 1, 2022

Giving more people push access to github-mgmt repositories would simplify the change proposal process - create a branch in github-mgmt vs create a github-mgmt fork.

Right now, if you have push access to github-mgmt, you are allowed to merge PRs ie. introduce changes to GitHub configuration.

Would it be possible to give people access to create branches but not allow them to merge PRs?

One idea worth exploring is Require review from Code Owners setting on protected branches. While it wouldn't restrict anyone from merging PRs, maybe it would allow us to limit the "mergable" PRs only to those already reviewed by a subset of those with push access and above.

Since this is quite a sensitive task it'll require extensive testing.
@galargh
Copy link
Member Author

galargh commented Aug 1, 2022

Relevant issue: ipfs/github-mgmt#30

@galargh
Copy link
Member Author

galargh commented Aug 1, 2022
edited
Loading

User feedback:

it’s easier to complain on slack than make all the forked repos to even propose changes

While the GitHub UI makes it (making forks) relatively easy it's more annoying to work with locally.

lack of permission means that I can't add reviewers / labels to my PRs, so can't notify relevant people on proposed changes

@galargh
Copy link
Member Author

galargh commented Aug 1, 2022

Limit to users explicitly granted read or higher access in Code review limits might be worth looking at too.

@galargh
Copy link
Member Author

galargh commented Aug 1, 2022

Things to consider: access to repository secrets.

@galargh
Copy link
Member Author

galargh commented Aug 4, 2022

Unfortunately, push access is too powerful to give out to all org members.

push access to a repository allows users to read repository secrets. In particular, in case of GitHub Management, that would be a gh token used for introducing changes to the organization.

@galargh galargh closed this as completed Aug 4, 2022
@galargh galargh mentioned this issue Aug 4, 2022
Closed
@galargh
Copy link
Member Author

galargh commented Aug 5, 2022

Additional feedback on why fork-based workflow might be suboptimal:

I do find the need to fork quite suboptimal in terms of my personal workflow: while github makes the fork, it has side effects I am uncomfortable with:
it sends a notification of a new repo to my followers
It routes emails for notifications on the fork to my github-default personal email rather than my org-default work email

@galargh galargh mentioned this issue Aug 5, 2022
Open
@galargh galargh moved this from 🤔 Triage to 🥳 Done in InterPlanetary Developer Experience Oct 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@galargh