Using protected branches to empower non-code contributors on GitHub

3 min read
: With GitHub's protected branches feature, you can grant collaborators permission to moderate comments, manage issues, or serve as project managers/team leads without the ability to merge pull requests or commit to master.

Update 2019–05–23: This is now possible more intuitively with GitHub’s triage role.

Out of the box, GitHub enables you to grant collaborators read, write, or admin permissions to a project. It’s not uncommon, however, for open source communities to want to empower a class of non-code contributors to moderate comments, manage issues, or serve as project managers/team leads, even if they ultimately don’t have permission to modify the code on the repository’s primary branch.

Fortunately, with GitHub’s protected branches feature, you can grant contributors these permissions without also giving them the ability to merge pull requests or commit directly to main.

If your project is owned by an organization, it’s relatively easy to set up on a per-repository basis:

  1. From the repository in question, navigate to “Settings” → “Branches”
  2. Under “Protected branches” choose your primary branch from the dropdown, or if it is already protected, click “edit” Protected branches
  3. Ensure “Protect this branch” is checked1 Protect this branch
  4. Check “Restrict who can push to this branch” Restrict who can push to this branch
  5. Add any users you want to be able to merge pull requests to this list2
  6. Grant any users you’d like “write” access to the repository as you would normally, confident they can’t commit or merge to main

With branch restrictions enforced, these non-code committing users, which you might describe as “community managers”, “team leads”, or “project managers” can now close/re-open issues, moderate comments, and push to feature branches, but cannot merge pull requests or commit directly to your project’s primary branch (only those users you specified in step five above can).

While I’m generally a fan of preferring social constraints over administrative or technical constraints, sometimes technical constraints allow you to decentralize project governance and empower those you otherwise wouldn’t trust with less-restrictive permissions. This somewhat-hidden feature gives maintainers the ability to grant an additional level of access beyond just read/write/admin, and may provide some open source projects the ability to implement (and enforce) their natural (or preferred) community-management workflows.

Footnotes#

  1. It’s probably also a good idea to check “Require pull request reviews before merging” and “Require status checks to pass before merging”, but those aren’t strictly necessary for what we’re doing

  2. Even better, create a team, for example, core-committers to make managing permissions across repositories even easier

Originally published April 14, 2017 View revision history
Share
Discuss on Bluesky Twitter LinkedIn

Up next

Five (and a half) practical tips for governing your open source project

5 min read

Practical tips for governing your growing open source project, from org-owned repos and enforcing 2FA to the triage role and appointing community managers.

More to explore

Intro to GitHub for non-technical roles

10 min read

GitHub isn't just for developers. A practical guide for non-technical roles to follow along, collaborate, and track work with confidence.

How to one-on-one

5 min read

Most 1:1s waste your team's only protected synchronous time on status updates. Here's how to run ones worth showing up for.

15 rules for communicating at GitHub

16 min read

How GitHub uses issues and chat for async communication — fifteen rules that eliminate the 'you had to be there' problem in corporate workflows.

Pull requests are a form of documentation

3 min read

Pull requests capture not just what changed, but who, why, and what alternatives were considered. Treat every PR as a time capsule for future contributors.