Branch protection not working as I expected

I’m using Enterprise Cloud.

Use case: I want to allow a “core” team to push to any branch of a repository and have a *“collaborators” team restricted to push to branches in the form “collaborators/[anything here]”.

What I tried:

  1. I created two teams: core and collaborators. Core is granted maintain role to the repo, while collaborators is granted write role.
  2. I added two branch protection rules:
    1. core is allowed to push to “**/**”
    2. collaborators is allowed to push to “collaborators/**”

What I get:

  • No matter the order of the branch protection rules above, members of the collaborators team will be able to push to all branches, not being restricted to “collaborators/[anything here]” branches, as I expected. Members of the core team can push to any branch, as expected.
  • If I reduce the access level of the collaborators team to just read I can’t even list the team in a rule (somehow expected).
  • Members of the collaborators team are not Organization owners.

What I’m missing?