"Update Button" updated protected branch

We have 2 protected branches: main and develop.

At one point, we created a Pull request merging maindevelop because there were changes in main that weren’t in develop

The Github UI enabled the “Update Branch” button on this PR, which accidentally - and improperly, I think - immediately merged all of the commits in develop into main - without a a PR.

(happily, our main branch is only updated during releases, and I could figure out the “last good commit hash” in main, so I was able to do a git reset --hard <hash> && git push -f origin master - with some emergency relaxing of the protection rules around the master branch)

Bottom line: Our main branch was updated without validations being run against it, even though main is protected.

And I can’t figure out way to configure github settings to prevent this in the future.

Any suggestions?

There are quite a number of sub-settings for branches protections, and which of those are available might depend on the type of GH account you have, whether the repository is part of an organization, Team, etc.

But, in general, unless you explicitly check the option to enforce branch protection rules also on administrators, these won’t apply to project maintainers (i.e. they can still do as they like). So, this might be a cause.

I’m not sure what this button is, but I’m aware of some new features for synchronizing outdated branches, so this might have just as well been part of that, i.e. leading to rebasing main on develop. Also, what buttons you might see and what they do largely depends on the repository settings regarding which type of merge operations are allowed (merge, rebase, squash).