GitHub/Repository Security/Problems and Options: Difference between revisions

Add "ours" merge strategy as option to force pushing to production
(Add problem with GitHub Apps & restricted commits)
(Add "ours" merge strategy as option to force pushing to production)
Line 12: Line 12:


In the interim, the GitHub Apps can open PRs, but a human committer will need to merge them (or a bot using old style OAuth permissions).
In the interim, the GitHub Apps can open PRs, but a human committer will need to merge them (or a bot using old style OAuth permissions).
== Branch protection should be enabled for production branches ==
Enabling branch protection both (a) prevents branch deletion, and (b) dis-allows force pushes to the branch.
=== Problem: Our workflow uses force pushes to production to ensure we know what will be deployed. ===
There is another way to achieve the same goal, ''and'' make it easier for developers to update from production. The not well know [https://git-scm.com/docs/merge-strategies#merge-strategies-ours "ours" merge strategy] provides a way to achieve both:
* Ensuring the head contains exactly the files you need, and
* Allowing developers (and systems) to always apply Fast Forward updates.
An example of using this workflow is [https://stackoverflow.com/a/45408573/5128493 described] on Stack Overflow.


== Commits (including merges) to the production branch should be GPG signed. ==
== Commits (including merges) to the production branch should be GPG signed. ==
Confirmed users
1,351

edits