Protected branches have been around for a while, and have made numerous improvements over time. GitHub added new rules to protect multiple branches and introduced additional permissions. However, it’s still challenging to consistently protect branches and tags throughout organizations. Managing scripts, cron jobs, various API calls, or third-party tooling to have consistent branch protections is not only annoying but also time-consuming.
It’s time for a new approach
GitHub announced the general availability of repository rules. Repository rules enable easily defined branch protections in public repositories. With flexible targeting options, it can protect multiple branch patterns using a single ruleset. Layering makes bypass scenarios dynamic; a GitHub App can skip status checks with no additional permissions, and administrators can bypass pull requests while still requiring the important CodeQL checks to run.
In line with GitHub’s mission to be the home for all developers, they have integrated GitHub Repository Rules to ensure that everyone collaborating on a repository knows the rules in play for them. An overview page provides visibility on rules applicable to a branch. Relevant information about rule enforcement is available at multiple touchpoints on GitHub.com, Git, and the GitHub CLI. There are also helpful prompts on ensuring the responsible use of bypass permissions.
Twilio has been using GitHub Repository Rules to balance developer experience and security.
“At Twilio, we value the autonomy of our engineering teams, including the ability to manage their own GitHub repositories. However, this autonomy makes compliance and security more challenging. We have successfully used GitHub Repository Rules to help us meet our compliance and security requirements while maintaining team autonomy.”
said, David Betts, Senior Engineering Manager, Twilio.
GitHub Enterprise Cloud customers can enforce these rules across all or a subset of their repositories in an organization. No more tedious audits checking to see if a rule existed; now ensure consistency in one location. If one is not ready to commit to a ruleset, they can trial them in evaluate mode. Rule insights allows us to see what could happen if dismisses stale reviews or enables linear merge history. No more guessing and no more testing in “production.”
Policy enforcement is a big reason Thomson Reuters has been an early adopter of repository rules across their organization.
“Compliance and security controls are fundamental to keeping applications safe. At Thomson Reuters, it’s important we properly enforce these policies. With repository rules, GitHub gives us the confidence to know we are enforcing our policies across an organization effectively, keeping our applications safe for end customers.”
– Darren Trzynka. Senior Cloud Architect,Thomson Reuters
