Push rule public beta! #118843
Replies: 26 comments 66 replies
-
@patrick-knight Can these be used to enforce LFS on large files? Something like "if file extension is *.foo AND file size > 20MB AND file is not on LFS => deny"? From the screenshot, it looks like it may work, although it's ambiguous - if the file Can a rule be overridden by an admin on a case by case basis to push an exception to the rule? |
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
-
Awesome addition! |
Beta Was this translation helpful? Give feedback.
-
I would like to prevent certain files, such as
Ideally, I would be able to say "do not allow adding matching files, but deleting is okay". |
Beta Was this translation helpful? Give feedback.
-
Why is this availble only for private repos? As an open source maintainer, I'd like to be able to deny pushes with 10-mb binary files in PRs without having to manually inspect every part of one. |
Beta Was this translation helpful? Give feedback.
-
I wanted to give feedback on a branch ruleset, but the "Give feedback" button opens this page... |
Beta Was this translation helpful? Give feedback.
-
Why is this ruleset not for the organization's private repo? |
Beta Was this translation helpful? Give feedback.
-
Excellent new feature, thank you for doing this. My first rule set was to restrict workflow changes, only allowing maintainer/admin roles in each repo to reduce the risk of malicious 3rd party actions being added accidentally. This is only a workaround though - I'd strongly prefer to have an org-level policy to only use the workflow that's in |
Beta Was this translation helpful? Give feedback.
-
We set up a rule to prevent pushing We bumped into another issue with the same rule: even though set to evaluate, it resulted in workflows being unable to push commits to a third-party repository. We use fjogeleit/yaml-update-action to update a version in a YAML file. This step started failing with HttpError: Operation is blocked due to enforced push rulesets. Deleting the push rule, even though it was only in evaluation mode, made the issue go away. Blocking in eval-only mode seems to be a bug. We use a PAT to check out the repo and push to it, for what it's worth, and the bot user for which the PAT was generated has admin permissions on the repo; this lets the pushes override a "must create PR first" branch protection rule. |
Beta Was this translation helpful? Give feedback.
-
Hi @patrick-knight, Using rulesets (and branch protection policies before that) we always faced a few issues while enforcing commit signatures.
Any of these situations will cause a (signed) merge commit on main to get blocked, because some of the baggage it's bringing along does not presently yield a valid signature. This new pre-receive enforcement seems like a great opportunity to address this use case. And BTW looking at the existing branch rulesets, enforcing commit metadata (ex: message patterns) does seem to follow the same kind of reasoning. Not that I have an immediate need for it, but it does make sense to me that it could be enforceable in the push phase as well. |
Beta Was this translation helpful? Give feedback.
-
hey there, this is awesome feature, i tried to enable one, and bypass github app, but it doesnt seem work for the bypass, it still get the |
Beta Was this translation helpful? Give feedback.
-
hi, Push Rules are a great idea, thank you for getting them this far. |
Beta Was this translation helpful? Give feedback.
-
We use a tool called release-please on pushes to master which creates releases/tags based on semantic commits. Part of this involves updating the current version in We run the workflow as a dedicated GitHub App so I created the push ruleset with this App in the bypass list. The workflow cannot push a change to this file if the rulset is either active or evaluating, only disabled and nothing ever appears in the rule insights. I've confirmed with the Happy to provide more information if needed. |
Beta Was this translation helpful? Give feedback.
-
Stumbled upon this (push ruleset) looking for a way to protect pipeline definitions. At a first glance seems to work as expected. And solves a real problem in a simple way that is otherwise hard to solve. 👌 About this warning:
I get it (I think) but I can also imagine it complicating contributing by others. One more thought: When having enterprise plan, to what extent will it be possible to impose certain rules in bulk to all repositories? |
Beta Was this translation helpful? Give feedback.
-
Thanks for this feature! As far as we could test, it perfectly fits our needs to protect our Workflows. |
Beta Was this translation helpful? Give feedback.
-
Stumbled upon push rulesets when looking for a way to prevent changes to workflow definitions across all repos in an org. It also applies to public repos if you configure the rule on org level, but you can easily bypass the rule through a pull request. So pushing a change to a workflow directly to main is denied, but merging a PR with the same change from a fork is allowed, and it doesn't even appear in the Insights logs. I understand your concerns about open source forks and limiting this feature to push/PR merge for public repos might be a good middle ground. I'm curious about your thoughts on this. |
Beta Was this translation helpful? Give feedback.
-
Encountered a couple issues when look to add a push ruleset to a repository. Would like to prevent most contributors from being able to modify certain files except for members of one team and a bot user. I can add both to by-pass the rule however when one of these restricted files has been updated on the main branch, anyone contributing changes via PRs that merges the updated main into their branch it will trigger the rule when they try to push it up. While we could ask people to rebase, this typically negatively impacts reviewing as once a review as begun rebasing means it's difficult for the review to see just what has changed since their last review. Additionally the second problem is that when developers hit this rule, there is no option to provide a customised message to help explain how to self resolve. Would it be possible to ignore commits containing changes to files that should be blocked if the commit is already part of the repository history? e.g.
The PR doesn't even show the file as being changed, it's only if you know how to use git diff to compare what was merged into the PR branch from the mainline that it is possible to see what triggered the failure. Even with such an exclusion, being able to customise the message for failures would be useful. We have a developer portal internally that teams can request changes that would result in generating the files that should not be pushed directly by them. This automatically ensures that the files have correct information that cannot be inferred by pipelines, so while we want developers to be able to trigger the creation of such protected files, we would want to tell them to use the portal instead of them hitting an error and then needing to ask for assistance. |
Beta Was this translation helpful? Give feedback.
-
Restrict file size is awesome and has made life much better, but it would be nice to be able to allowlist specific files |
Beta Was this translation helpful? Give feedback.
-
Please link to documentation (like in search) for the syntax allowed in globs: Context: I want to prevent recreating a deleted folder any of these could be valid, according to all the globbing variants out there:
but I don't know which of these will be correct. I found https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/available-rules-for-rulesets#restrict-file-paths, but I needed to search for 3 minutes to find this page, and then I'm redirected to a "technically correct", but not user friendly Ruby documentation. |
Beta Was this translation helpful? Give feedback.
-
As a follow-up on glob docs comment, I tried
and it happily accepted my file:
|
Beta Was this translation helpful? Give feedback.
-
I really like how this feature is shaping up! We occasionally have the need for an admin to (force-)push to our protected |
Beta Was this translation helpful? Give feedback.
-
Is it possible to allow files from the default branch to be compared against so when someone merges it into a feature branch the blocked file extensions can still be merged? Maybe compare the hash of the files in the default branch and the hash of the file in the commit and if they match allow it. |
Beta Was this translation helpful? Give feedback.
-
It would be nice if this could be used to restrict merges to the target branches to a list of refs. For instance, if one were trying to enforce gitflow, being able to set something that only allows merges into main from develop. some option like "restrict source branch" |
Beta Was this translation helpful? Give feedback.
-
Would love more flexibility in the rule sets. What we want: do not allow any updates to folder Currently, it seems like we can either (1) restrict any updates to folder Let me know if I'm missing something! One thing that would be very cool, especially considering that all GitHub users are developers, would be to let users define their protection rules in a simple DSL pushed to |
Beta Was this translation helpful? Give feedback.
-
We want to hear from you on push rules!
Who put an EXE file in my iOS mobile App repo? Why can I push a 20MiB mp3 when this repo is all .MD docs files? All these mysteries will soon be answerable and controllable.
It's been a year since we showed y'all the future of protecting branches with the public beta of repository rules.
But we had one lingering thought this whole time. How do we let you to prohibit certain things from entering a repository?
The repository rule release only let you protect refs, meaning the commit is in the repository already and can be reachable. Often, that's fine because rules are great for preventing unintended changes or enforcing governance decisions. But what about risky files in a repo due to size, type, or location? Thats where push rules come in.
If you’ve had a chance to try out the repo rules that are now in public beta, we’re curious to know your thoughts and how we can make this feature work better for you!
🐛 Known issues
~~ REST and GraphQL API will be available soon. ~~
When push rules are in- Fix rolled out Mayactive
orevaluate
mode the usage of both the /git/trees and /git/blobs API endpoints are restricted.15th 2024
June 13th 2024 Update
REST and GraphQL endpoints are available for push rules
Added a delegated bypass flow to the beta to allow one time requests to skip push rules.
Beta Was this translation helpful? Give feedback.
All reactions