Pushing to a protected branch with required status checks #23273
-
hi, The protected branch UI says this under “Restrict who can push to this branch”: Specify people or teams allowed to push to this branch. Required status checks will still prevent these people from merging if the checks fail. But I can’t find anything that tells me *how* to run a status check when doing a push into a branch. Can someone explain how to do this? Situation:
When we make status checks required, this prevents the background process from pushing changes into the master branch. This makes sense but the red text above makes me think there’s a way to trigger the status checks when trying to push into master, but I can’t find any info about how to do it. So I’m wondering:
thanks for any help you can give. david. |
Beta Was this translation helpful? Give feedback.
Replies: 6 comments
-
Hi @dstrome, It sounds like you are already using status checks correctly in this way. Status checks are a way to prevent people from merging Pull Requests into a protected branch. Since you’re already requiring Pull Requests to merge into master, you shouldn’t have anyone directly pushing to that protected branch, so everyone will need to go through those status checks. To answer your other question, yes, if you don’t check “include administrators”, they can bypass these requirements. Thanks! |
Beta Was this translation helpful? Give feedback.
-
hey @that-pat, thanks for the reply. I guess what’s confusing me is the wording of the string “Required status checks will still prevent these people from merging if the checks fail”. To me that implies that the status checks can be kicked off when a push into the branch is done. Either that or there’s another circumstance where the checks have already run somehow. David. |
Beta Was this translation helpful? Give feedback.
-
Hi @dstrome, GitHub doesn’t kick off any status checks, but it will not allow the merge to happen unless there have been success reports from all required checks. The way that is usually set up is that people set up web hooks to fire off ci jobs when pushes come in, and those CI jobs do status reporting. |
Beta Was this translation helpful? Give feedback.
-
Thanks @seveas, that makes sense. Thanks for the reply. |
Beta Was this translation helpful? Give feedback.
-
Hi, Thanks, |
Beta Was this translation helpful? Give feedback.
-
Anyone with the appropriate permission can use the status api if you would like to protect against a single attacker bypassing with compromised credentials you are going to need to take a layered approach. If it’s an Adminstrator level account, its game over. We can slow them down and alert on things to notify response teams. My reccomended settings for mitigation:
At the end of the day stopping a rougue or compromised admin is effectively impossible but we can ensure that we prevent this from happening with non admin users and auditability when protections are bypassed. I know its a hard thing to balance in larger organizations but its absolutely critical. I decided to use terraform and github itself expose api internals to reduce the number of opperations that required a user to directly perform operations. Doing so allowed us to remove a lot of admins, while not every operation is accessible through the api and the terraform providers may not always support everything the api does (yet) I would highly encourage this approach. This shifted a lot of requests from operations (and security) teams back to the engineers that were requesting the change in the first place. |
Beta Was this translation helpful? Give feedback.
Hi @dstrome,
GitHub doesn’t kick off any status checks, but it will not allow the merge to happen unless there have been success reports from all required checks. The way that is usually set up is that people set up web hooks to fire off ci jobs when pushes come in, and those CI jobs do status reporting.