Seems like tying the perms on the action to the perms on the author of a commit could provide the automation power we want here without the security vulnerability. No?
Wow you saved me hours of debugging! ty!
So… there’s still no good way to do this without creating and managing a bot user just for this purpose, right?
It’s pretty absurd that Github still has no way to directly handle what should be a really straightforward, really common use case like this.
For Team and Enterprise plans, the “system-admin” user doesn’t necessarily need admin access:
"12. Optionally, if your repository is owned by an organization using GitHub Team or GitHub Enterprise Cloud, enable branch restrictions.
- Select Restrict who can push to matching branches .
- Search for and select the people, teams, or apps who will have permission to push to the protected branch."
- grant the “admin-user” push permissions
However, as an Owner (=full Admin) I cannot prevent myself from making stupid mistakes and am still able to push to a protected branch