Description
Configures Branch Protection
Input Schema
| Property | Type | Description | Required |
|---|---|---|---|
| token | string | The token to use for authorization to GitHub | |
| branch | string | - | |
| repoUrl | string | Accepts the format `github.com?repo=reponame&owner=owner` where `reponame` is the new repository name and `owner` is an organization or username | |
| restrictions | object | - | |
| enforceAdmins | boolean | Enforce admins to adhere to default branch protection. The default value is `true` | |
| blockCreations | boolean | - | |
| dismissStaleReviews | boolean | New reviewable commits pushed to a matching branch will dismiss pull request review approvals. | |
| requiredCommitSigning | boolean | - | |
| requiredLinearHistory | boolean | - | |
| requireCodeOwnerReviews | boolean | Require an approved review in PR including files with a designated Code Owner | |
| requireLastPushApproval | boolean | Whether the most recent push to a PR must be approved by someone other than the person who pushed it. The default value is `false` | |
| bypassPullRequestAllowances | object | - | |
| requireBranchesToBeUpToDate | boolean | Require branches to be up to date before merging. The default value is `true` | |
| requiredStatusCheckContexts | array | The list of status checks to require in order to merge into this branch | |
| requiredApprovingReviewCount | number | Specify the number of reviewers required to approve pull requests. Use a number between `1` and `6` or `0` to not require reviewers. Defaults to `1`. | |
| requiredConversationResolution | boolean | Requires all conversations on code to be resolved before a pull request can be merged into this branch |
Output Schema
No output schema defined for this action.
Usage Examples
Protect the default branch with required reviews and status checks
Use this after publishing a new repository with fetch:template and publish:github. It enforces admin rules, requires two approvals with CODEOWNERS, and blocks merges unless CI checks pass.
steps:
- id: fetch-base
action: fetch:template
input:
url: ./skeleton
- id: publish
action: publish:github
input:
allowedHosts:
- github.com
repoUrl: github.com?owner=${{ parameters.owner }}&repo=${{ parameters.repoName }}
defaultBranch: ${{ parameters.defaultBranch }}
description: ${{ parameters.description }}
repoVisibility: private
- id: protect-default-branch
action: github:branch-protection:create
input:
repoUrl: github.com?owner=${{ parameters.owner }}&repo=${{ parameters.repoName }}
branch: ${{ parameters.defaultBranch }}
rules:
enforce_admins: true
required_linear_history: true
required_conversation_resolution: true
allow_force_pushes: false
allow_deletions: false
required_status_checks:
strict: true
contexts:
- ci/build
- ci/test
required_pull_request_reviews:
dismiss_stale_reviews: true
require_code_owner_reviews: true
required_approving_review_count: 2Restrict who can push to the release branch
Apply this after the repo exists to lock down a protected release branch to a specific team. It restricts direct pushes to the release branch to the release-managers team and requires a clean history.
steps:
- id: protect-release-branch
action: github:branch-protection:create
input:
repoUrl: github.com?owner=${{ parameters.owner }}&repo=${{ parameters.repoName }}
branch: ${{ parameters.releaseBranch }}
rules:
enforce_admins: true
required_linear_history: true
allow_force_pushes: false
allow_deletions: false
required_pull_request_reviews:
required_approving_review_count: 1
require_last_push_approval: true
restrictions:
teams:
- release-managers
users: []
apps: []