Branch protection not working as expected

Hi have specified protected branches in one of my repos like so:

[master,develop]*

I have selected the following restrictions initially:

  • Require pull request reviews before merging
  • Dismiss stale pull request approvals when new commits are pushed

I wanted to allow a certain group of people permission to push to the protected branches so I checked the option below and noticed that the users included in this setting are not able to push to the master or develop branch. They all have “maintain” access to the repo.

  • Restrict who can push to matching branches

There’s also an option about branch protection rules also applying to administrators, if that is checked it might be conflicting with the exceptions specified in Restrict who can push to matching branches.

No I dont have this checked.

I also find all these rules a bit confusing, for it’s unclear sometimes how they overlap, and which roles they apply to.

The documentation mentions that Restrict who can push to matching branches is part of the branch restrictions features which are only available to:

[a] repository [that] is owned by an organization using GitHub Team or GitHub Enterprise Cloud

so I’m not sure how these rules apply to repositories by individuals who have invited collaborators (or if these options are even shown).

The strange thing is that the description of this feature states it clearly I think:

Specify people, teams or apps allowed to push to matching branches.

No fix found for this yet.

Unless you have also set code owners for the repository. I remember having experienced this type of conflicts between branch settings and code owners rules, when code owners was still available to Free GH accounts, but then it was removed, so I’m not sure.

Well its an enterprise account anyway but we do have people who are nominated as code owners but no codeowner files or settings.

In this case you might also need to check if the organization has some default settings that are propagated to all repositories (which is possible). With orgs and Team things can get tricky for different rules and settings start to overlap.

No defaults there, we still have the problem.