Update 2019-05-23: This is now possible more intuitively with GitHub’s triage role.
Out of the box, GitHub enables you to grant collaborators read, write, or admin permissions to a project. It’s not uncommon, however, for open source communities to want to empower a class of non-code contributors to moderate comments, manage issues, or serve as project managers/team leads, even if they ultimately don’t have permission to modify the code on the repository’s primary branch.
Fortunately, with GitHub’s protected branches feature, you can grant contributors these permissions without also giving them the ability to merge pull requests or commit directly to
If your project is owned by an organization, it’s relatively easy to set up on a per-repository basis:
- From the repository in question, navigate to “Settings” → “Branches”
- Under “Protected branches” choose your primary branch from the dropdown, or if it is already protected, click “edit”
- Ensure “Protect this branch” is checked1
- Check “Restrict who can push to this branch”
- Add any users you want to be able to merge pull requests to this list2
- Grant any users you’d like “write” access to the repository as you would normally, confident they can’t commit or merge to
With branch restrictions enforced, these non-code committing users, which you might describe as “community managers”, “team leads”, or “project managers” can now close/re-open issues, moderate comments, and push to feature branches, but cannot merge pull requests or commit directly to your project’s primary branch (only those users you specified in step five above can).
While I’m generally a fan of preferring social constraints over administrative or technical constraints, sometimes technical constraints allow you to decentralize project governance and empower those you otherwise wouldn’t trust with less-restrictive permissions. This somewhat-hidden feature gives maintainers the ability to grant an additional level of access beyond just read/write/admin, and may provide some open source projects the ability to implement (and enforce) their natural (or preferred) community-management workflows.
It’s probably also a good idea to check “Require pull request reviews before merging” and “Require status checks to pass before merging”, but those aren’t strictly necessary for what we’re doing ↩
Even better, create a team, e.g.,
core-committersto make managing permissions across repositories even easier ↩