Using protected branches to empower non-code contributors on GitHub

TL;DR: With GitHub’s protected branches feature, you can grant collaborators permission to moderate comments, manage issues, or serve as project managers/team leads without the ability to merge pull requests or commit to master.

Update 2019–05–23: This is now possible more intuitively with GitHub’s triage role.

Out of the box, GitHub enables you to grant collaborators read, write, or admin permissions to a project. It’s not uncommon, however, for open source communities to want to empower a class of non-code contributors to moderate comments, manage issues, or serve as project managers/team leads, even if they ultimately don’t have permission to modify the code on the repository’s primary branch.

Fortunately, with GitHub’s protected branches feature, you can grant contributors these permissions without also giving them the ability to merge pull requests or commit directly to main.

If your project is owned by an organization, it’s relatively easy to set up on a per-repository basis:

  1. From the repository in question, navigate to “Settings” → “Branches”
  2. Under “Protected branches” choose your primary branch from the dropdown, or if it is already protected, click “edit” Protected branches
  3. Ensure “Protect this branch” is checked1 Protect this branch
  4. Check “Restrict who can push to this branch” Restrict who can push to this branch
  5. Add any users you want to be able to merge pull requests to this list2
  6. Grant any users you’d like “write” access to the repository as you would normally, confident they can’t commit or merge to main

With branch restrictions enforced, these non-code committing users, which you might describe as “community managers”, “team leads”, or “project managers” can now close/re-open issues, moderate comments, and push to feature branches, but cannot merge pull requests or commit directly to your project’s primary branch (only those users you specified in step five above can).

While I’m generally a fan of preferring social constraints over administrative or technical constraints, sometimes technical constraints allow you to decentralize project governance and empower those you otherwise wouldn’t trust with less-restrictive permissions. This somewhat-hidden feature gives maintainers the ability to grant an additional level of access beyond just read/write/admin, and may provide some open source projects the ability to implement (and enforce) their natural (or preferred) community-management workflows.

  1. It’s probably also a good idea to check “Require pull request reviews before merging” and “Require status checks to pass before merging”, but those aren’t strictly necessary for what we’re doing 

  2. Even better, create a team, for example, core-committers to make managing permissions across repositories even easier 

Originally published April 14, 2017 | View revision history

If you enjoyed this post, you might also enjoy:

benbalter

Ben Balter is the Director of Engineering Operations and Culture at GitHub, the world’s largest software development platform. Previously, as Chief of Staff for Security, he managed the office of the Chief Security Officer, improving overall business effectiveness of the Security organization through portfolio management, strategy, planning, culture, and values. As a Staff Technical Program manager for Enterprise and Compliance, Ben managed GitHub’s on-premises and SaaS enterprise offerings, and as the Senior Product Manager overseeing the platform’s Trust and Safety efforts, Ben shipped more than 500 features in support of community management, privacy, compliance, content moderation, product security, platform health, and open source workflows to ensure the GitHub community and platform remained safe, secure, and welcoming for all software developers. Before joining GitHub’s Product team, Ben served as GitHub’s Government Evangelist, leading the efforts to encourage more than 2,000 government organizations across 75 countries to adopt open source philosophies for code, data, and policy development. More about the author →

This page is open source. Please help improve it.

Edit