question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Release is blocked if branch protection is enabled

See original GitHub issue

I want to enforce each PR/commit is reviewed before merging. So I enabled Github branch protection rule. However, I find projen release workflow will push a commit automatically which is against the branch protection rule.

Below is the workflow: https://github.com/aws-samples/cdk-keycloak/runs/1976482226?check_suite_focus=true

git push origin $BRANCH
  shell: sh -e {0}
  env:
    CI: true
    BRANCH: refs/heads/main
remote: error: GH006: Protected branch update failed for refs/heads/main.        
remote: error: At least 1 approving review is required by reviewers with write access.        
To https://github.com/aws-samples/cdk-keycloak
 ! [remote rejected] main -> main (protected branch hook declined)
error: failed to push some refs to 'https://github.com/aws-samples/cdk-keycloak'
Error: Process completed with exit code 1.

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Reactions:2
  • Comments:7 (7 by maintainers)

github_iconTop GitHub Comments

2reactions
eladbcommented, Mar 17, 2021

@Chriscbr Good points.

Is it possible to have the workflow automatically create a pull request instead of pushing directly, and then auto-approve said PR (maybe with an automerge label, or by calling a REST API endpoint)?

This will introduce a race condition on “main”. If a commit is merge between the time the PR was created and the time it’s merged, the version will include this change but it will not be accounted for in the changelog. This is probably not an issue for small projects but when traffic on “main” grows, it can be an issue.

Would creating a separate “release” branch (and applying different release protection rules) solve any of these issues?

This is possible but slightly cumbersome. This is the model we use in the CDK. It requires back-merging from the release branch after every release, which is more automation, and if there is branch protection, you’ll need a dedicated auto-approve workflow…

Is it possible to set the release flow to be run with a custom bot user with limited admin privileges (i.e. no repo deletion) to bypass the branch protection rules? This would require the branch protection rules to be set to not apply to administrators.

I rather not require every project to install another secret.


The proposed model basically manages version information only through git tags which is actually a pretty common model. E.g Go modules use git tags to indicate module version.

It’s also a more robust model than what we have today because there’s a single source of truth (today we need maintain both tags and a version file in sync).

It will also allow us to cleanly decouple “main” builds and publishing the release. We can say that the main build creates a GitHub release+tag at the end of the build and uploads the build artifact in there.

The publishing workflow(a) are triggered when a new release/tag is created. They download the artifact and publish to the respective package manager.

0reactions
eladbcommented, Jun 10, 2021

Indeed!

Read more comments on GitHub >

github_iconTop Results From Across the Web

About protected branches - GitHub Docs
You can enable branch restrictions if your repository is owned by an organization using GitHub Team or GitHub Enterprise Cloud. When you enable...
Read more >
Protected branches - GitLab Docs
In GitLab, permissions are fundamentally defined around the idea of having read or write permission to the repository and branches.
Read more >
How to set up Git branch protection rules - Spectral
Git branch protection rules are a powerful configuration option that enables repository administrators to enforce security policies.
Read more >
New Branch Protections: Last Pusher and Locked Branch
October 20, 2022. Today we're releasing two new branch protections. Require approval from someone other than the last pusher.
Read more >
How to restrict access to the master branch in Git
Force pushes and deletions can be allowed independently. To protect a branch: On GitHub, navigate to the main page of the repository.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found