Update 2019-05-23: This is now possible more intuitively with GitHub’s triage role.
Out of the box, GitHub enables you to grant collaborators read, write, or admin permissions to a project. It’s not uncommon, however, for open source communities to want to empower a class of non-code contributors to moderate comments, manage issues, or serve as project managers/team leads, even if they ultimately don’t have permission to modify the code on the repository’s primary branch.
Fortunately, with GitHub’s protected branches feature, you can grant contributors these permissions without also giving them the ability to merge pull requests or commit directly to
If your project is owned by an organization, it’s relatively easy to set up on a per-repository basis:
- From the repository in question, navigate to “Settings” → “Branches”
- Under “Protected branches” choose your primary branch from the dropdown, or if it is already protected, click “edit”
- Ensure “Protect this branch” is checked1
- Check “Restrict who can push to this branch”
- Add any users you want to be able to merge pull requests to this list2
- Grant any users you’d like “write” access to the repository as you would normally, confident they can’t commit or merge to
With branch restrictions enforced, these non-code committing users, which you might describe as “community managers”, “team leads”, or “project managers” can now close/re-open issues, moderate comments, and push to feature branches, but cannot merge pull requests or commit directly to your project’s primary branch (only those users you specified in step five above can).
While I’m generally a fan of preferring social constraints over administrative or technical constraints, sometimes technical constraints allow you to decentralize project governance and empower those you otherwise wouldn’t trust with less-restrictive permissions. This somewhat-hidden feature gives maintainers the ability to grant an additional level of access beyond just read/write/admin, and may provide some open source projects the ability to implement (and enforce) their natural (or preferred) community-management workflows.
It’s probably also a good idea to check “Require pull request reviews before merging” and “Require status checks to pass before merging”, but those aren’t strictly necessary for what we’re doing ↩
Even better, create a team, e.g.,
core-committersto make managing permissions across repositories even easier ↩
Ben Balter is a Senior Manager of Product Management at GitHub, the world’s largest software development network, where he oversees the platform’s Community and Safety efforts. Named one of the top 25 most influential people in government and technology, Fed50’s Disruptor of the Year, and winner of the Open Source People’s Choice Award, Ben previously served as GitHub’s Government Evangelist, leading the efforts to encourage government at all levels to adopt open source philosophies for code, data, and policy development. More about the author →