Skip to main content

Branch Protection Settings and Issues

Overview

As part of the MoJ GitHub repository standards it has been decided that certain Branch Protection settings should be enabled to create a safer environment on GitHub.

See the Standards.

A repository that does not have the minimum Branch Protection settings will be non-compliant and an issue against the repository will be created per non enabled Branch Protection setting (Currently disabled).

See the github-repository-standards repository.

The non-compliant repositories and created issues are recorded within the Operations Engineering Reports report, which is updated on a daily basis. It is generated by the operations-engineering-reports repository.

Minimum Branch Protection Settings

The minimum Branch Protection settings for a repository are listed on github-repository-standards repository.

GH GraphQL Query

Below is some of the Branch Protection rules within GH that can be obtained from a GraphQL query. The comment on each line maps the the Branch Protection rule to the Branch Protection setting within the GH repository settings UI.

“‘ { repository(name: "repo-name”, owner: “ministryofjustice”) { branchProtectionRules(first: 100) { edges { node { dismissesStaleReviews # Dismiss stale pull request approvals when new commits are pushed isAdminEnforced # Include administrators pattern # Should be set to main requiredApprovingReviewCount # Require approvals > 0 requiredStatusCheckContexts # Would apply to a .yml file I believe ie “terraform-plan” requiresApprovingReviews # Require a pull request before merging requiresCodeOwnerReviews # Require review from Code Owners requiresCommitSignatures # Require signed commits requiresConversationResolution # Require conversation resolution before merging requiresLinearHistory # Require linear history requiresStrictStatusChecks # Require branches to be up to date before merging requiresStatusChecks # Require status checks to pass before merging } } } } } “’

How to implement a Branch Protection setting in Code

Two repositories are required to implement a Branch Protection check, raise an issue and add the details to the report. These are the github-repository-standards repository and the Operations Engineering Reports repository.

The github-repository-standards repository contains the check and raises the issue on the repository (currently disabled).

The Operations Engineering Reports repository receives encrypted json data from github-repository-standards repository to display on report site.

The github-repository-standards repository Branch Protection check and raise issue against a repository are implemented using Ruby. A python script encrypts the json data and sends it to the report website. The report website decrypts the json data. The files to look at are:

Note: Check the contents of the .json file after the script has completed to ensure the expected Branch Protection results are generated correctly.

Note: The json result data is passed between the two repositories therefore the variable/s names used in both repositories must match when either writing or reading the json data.

Note: Either on a branch or after the modifications have been merged onto the main branch the operations-engineering-reports report can be run manually on the CI Continuous Deployment to see the modifications within the report quicker rather than waiting for the scheduled report to occur.

This page was last reviewed on 5 November 2024. It needs to be reviewed again on 5 February 2025 by the page owner #operations-engineering-alerts .