Bypass status check only for the initial push

When I enable a branch protection for releases/* with “Require status checks to pass before merging”, no one except administrators can create a new branch under releases/* even if the commit is already approved and merged into the other branch with the proper status checks.

When I also enable “Include administrators” for the branch protection, no one can create a new branch under releases/* including the administrators.

I tried this workaround but it looks only for PR. Troubleshooting required status checks - GitHub Docs In this situation, we need to create a branch first to create a PR i.e. deadlock here.

Is there any workaround? Currently, the only workaround I found is disabling “Include administrators.” This workaround also enables automated push by Deploy keys because it has administrator privileges. Managing deploy keys - GitHub Docs However, “Include administrators” should be enabled. Also, this workaround doesn’t apply to GitHub App token or PAT or GITHUB_TOKEN.

Another workaround would be keeping a single release branch and reusing it for every release…

Tried an empty commit but it still requires status check:

$ git switch --orphan releases/empty
Switched to a new branch 'releases/empty'

$ git commit --allow-empty -m "initial commit"
[releases/empty (root-commit) 0000000] initial commit

$ git push origin releases/empty
Enumerating objects: 2, done.
Counting objects: 100% (2/2), done.
Writing objects: 100% (2/2), 171 bytes | 171.00 KiB/s, done.
Total 2 (delta 0), reused 0 (delta 0), pack-reused 0
remote: error: GH006: Protected branch update failed for refs/heads/releases/empty.
remote: error: Required status check "approved" is expected. Changes must be made through a pull request.

Ah, looks like this part was wrong. If the exact same commit has the passed status check, it can pass the protection rule:

even if the commit is already approved and merged into the other branch with the proper status checks.

Now the error is only:

remote: error: Changes must be made through a pull request.

Now I got the proper workaround.

First, push the target commit to a non-protected branch (I used a GitHub Actions workflow). Then, trigger a GitHub Actions workflow on push branch event with GitHub App token which is specified to allow bypass pull request for the protected branch (“Allow specified actors to bypass required pull requests”). In the workflow, run a job named the same as the check status job (approved in this example) before pushing to the protected branch.

jobs:
  approved:
    runs-on: ubuntu-latest
    steps:
      - run: echo "Approved!"
  push:
    runs-on: ubuntu-latest
    needs: [ approved ]
    steps:
      - id: generate-token
        uses: tibdex/github-app-token@v1
        with:
          app_id: ${{ secrets.APP_ID }}
          private_key: ${{ secrets.PRIVATE_KEY }}
      - uses: actions/checkout@v3
        with:
          token: ${{ steps.generate-token.outputs.token }}
      - run: git push origin releases/test

With this workaround, I can keep “Require a pull request before merging”, “Require status checks to pass before merging”, “Include administrators”, and “Restrict who can push to matching branches” all enabled! Also, even if the commit is “approved”, administrators still can’t create the protected branch because of " Organization and repository administrators These members cannot bypass", which is good actually since we want to create the protected branch only by the GitHub App.