Help
cancel
Showing results for 
Search instead for 
Did you mean: 
Ground Controller Lvl 1
Message 1 of 1

git merge --squash to protected master branch

There are other similar posts to this and I believe I know the answer but I'd like to sanity check this and then see if there are either ideas for workarounds or whether GitHub would consider this worth implementing a feature for.

 

Background

  • We care a lot about security!
  • We want to enforce signed commits to our repo
  • We want to run verification of signatures against a list of trusted public keys (we will implement this)
  • We want to mandate that our devs don't use GitHub UI to resolve or merge. The problem here is that GitHub uses it's own key to sign commits so we can't guarantee that the commit was made by a trusted user. We must thus not allow any commits signed with GitHub's key.
  • Separately we want merges to master to require a PR and master branch to be protected from force commits
  • We also don't want admin users on our repos (admin priviledges are generally bad - we have particular threats here we want to mitigate)
  • Specifically this means we don't want admins to be able to override branch protections
  • We want to use squash commits
  • Squash commits can't be done from the command line, even with an approved PR (regular merges can)

 

Questions

  • Is my assessment that squash commits can't be done from the command line in this scenario?
  • Any good workaround? 
  • Would GitHub implement a feature to support this (that would be fiddly but I don't think impossible)

 

One workaround would be to squash to a separate branch and do the PR against that. However, I'm pretty sure that's just going to be a painful overhead for our devs