Enforcing PRs only when merge is from certain branches

We use a Gitflow-esque workflow that works pretty well for us. Work is done in “story/*” branches that are merged in to “epic/*” branches. When a full feature (epic) is complete, it is merged to master, which essentially means it is heading to prod.

Master is a protected branch with enforced PRs, but given the above flow we’d like to also ensure the epic/* branches require PRs when merging in new stories.

The problem is that epic branches currently in development all need to be updated with master whenever a new feature goes out. Using enforced PRs with branch protection, the merge from master in to the epic branch triggers a tedious round of PRs. 

Ideally, we’d like to enforce PRs when moving from story to epic to master, but not the other way (updating any of those branches with changes from upstream). 

Does anyone have any hacks/thoughts/strategies for making this happen?

There are a few different ways this could be achieved:

  • You could have a machine account, GitHub App, or GitHub Action that could be used to perform the downstream migrations on demand
  • You could allow administrators to push to certain protected branches
  • You could have a team of “trusted” people with the ability to push to certain protected branches

There are probably other ways, but those are the ones that come to mind most readily. Let me know if you need more details.

I hope that helps!