Release is blocked if branch protection is enabled
See original GitHub issueI want to enforce each PR/commit is reviewed before merging. So I enabled Github branch protection rule.
However, I find projen
release workflow will push a commit automatically which is against the branch protection rule.
Below is the workflow: https://github.com/aws-samples/cdk-keycloak/runs/1976482226?check_suite_focus=true
git push origin $BRANCH
shell: sh -e {0}
env:
CI: true
BRANCH: refs/heads/main
remote: error: GH006: Protected branch update failed for refs/heads/main.
remote: error: At least 1 approving review is required by reviewers with write access.
To https://github.com/aws-samples/cdk-keycloak
! [remote rejected] main -> main (protected branch hook declined)
error: failed to push some refs to 'https://github.com/aws-samples/cdk-keycloak'
Error: Process completed with exit code 1.
Issue Analytics
- State:
- Created 3 years ago
- Reactions:2
- Comments:7 (7 by maintainers)
Top Results From Across the Web
About protected branches - GitHub Docs
You can enable branch restrictions if your repository is owned by an organization using GitHub Team or GitHub Enterprise Cloud. When you enable...
Read more >Protected branches - GitLab Docs
In GitLab, permissions are fundamentally defined around the idea of having read or write permission to the repository and branches.
Read more >How to set up Git branch protection rules - Spectral
Git branch protection rules are a powerful configuration option that enables repository administrators to enforce security policies.
Read more >New Branch Protections: Last Pusher and Locked Branch
October 20, 2022. Today we're releasing two new branch protections. Require approval from someone other than the last pusher.
Read more >How to restrict access to the master branch in Git
Force pushes and deletions can be allowed independently. To protect a branch: On GitHub, navigate to the main page of the repository.
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
@Chriscbr Good points.
This will introduce a race condition on “main”. If a commit is merge between the time the PR was created and the time it’s merged, the version will include this change but it will not be accounted for in the changelog. This is probably not an issue for small projects but when traffic on “main” grows, it can be an issue.
This is possible but slightly cumbersome. This is the model we use in the CDK. It requires back-merging from the release branch after every release, which is more automation, and if there is branch protection, you’ll need a dedicated auto-approve workflow…
I rather not require every project to install another secret.
The proposed model basically manages version information only through git tags which is actually a pretty common model. E.g Go modules use git tags to indicate module version.
It’s also a more robust model than what we have today because there’s a single source of truth (today we need maintain both tags and a version file in sync).
It will also allow us to cleanly decouple “main” builds and publishing the release. We can say that the main build creates a GitHub release+tag at the end of the build and uploads the build artifact in there.
The publishing workflow(a) are triggered when a new release/tag is created. They download the artifact and publish to the respective package manager.
Indeed!