Using protected branches to empower non-code contributors on GitHub
Update 2019–05–23: This is now possible more intuitively with GitHub’s triage role.
Out of the box, GitHub enables you to grant collaborators read, write, or admin permissions to a project. It’s not uncommon, however, for open source communities to want to empower a class of non-code contributors to moderate comments, manage issues, or serve as project managers/team leads, even if they ultimately don’t have permission to modify the code on the repository’s primary branch.
Fortunately, with GitHub’s protected branches feature, you can grant contributors these permissions without also giving them the ability to merge pull requests or commit directly to
If your project is owned by an organization, it’s relatively easy to set up on a per-repository basis:
- From the repository in question, navigate to “Settings” → “Branches”
- Under “Protected branches” choose your primary branch from the dropdown, or if it is already protected, click “edit”
- Ensure “Protect this branch” is checked1
- Check “Restrict who can push to this branch”
- Add any users you want to be able to merge pull requests to this list2
- Grant any users you’d like “write” access to the repository as you would normally, confident they can’t commit or merge to
With branch restrictions enforced, these non-code committing users, which you might describe as “community managers”, “team leads”, or “project managers” can now close/re-open issues, moderate comments, and push to feature branches, but cannot merge pull requests or commit directly to your project’s primary branch (only those users you specified in step five above can).
While I’m generally a fan of preferring social constraints over administrative or technical constraints, sometimes technical constraints allow you to decentralize project governance and empower those you otherwise wouldn’t trust with less-restrictive permissions. This somewhat-hidden feature gives maintainers the ability to grant an additional level of access beyond just read/write/admin, and may provide some open source projects the ability to implement (and enforce) their natural (or preferred) community-management workflows.
It’s probably also a good idea to check “Require pull request reviews before merging” and “Require status checks to pass before merging”, but those aren’t strictly necessary for what we’re doing ↩
Even better, create a team, e.g.,
core-committersto make managing permissions across repositories even easier ↩
If you enjoyed this post, you might also enjoy:
- Twelve tips for growing communities around your open source project
- Five (and a half) practical tips for governing your open source project
- Towards a More Agile Government
- Five best practices in open source: external engagement
- 15 rules for communicating at GitHub
- Why open source
- Securing the Status Quo
- Ten ways to make a product great
- Everything an open source maintainer might need to know about open source licensing
- 19 reasons why technologists don't want to work at your government agency
- Why you probably shouldn't add a CLA to your open source project
Ben Balter is Chief of Staff for Security at GitHub, the world’s largest software development platform. Previously, as a Staff Technical Program manager for Enterprise and Compliance, Ben managed GitHub’s on-premises and SaaS enterprise offerings, and as the Senior Product Manager overseeing the platform’s Trust and Safety efforts, Ben shipped more than 500 features in support of community management, privacy, compliance, content moderation, product security, platform health, and open source workflows to ensure the GitHub community and platform remained safe, secure, and welcoming for all software developers. Before joining GitHub’s Product team, Ben served as GitHub’s Government Evangelist, leading the efforts to encourage more than 2,000 government organizations across 75 countries to adopt open source philosophies for code, data, and policy development. More about the author →