GitHub Community
Merge queue doesn't work if creation of new branches is forbidden #167530
Replies: 3 comments 2 replies
-
|
The merge queue should absolutely be bypassable for branch creation - this is a gap in GitHub's implementation. Quick fixes:
The bypass list not including merge queue operations is honestly a design oversight. I'd file a GitHub Support ticket - this is a legitimate use case they need to address. Your security model makes sense (restrict CI secret access while allowing PR approvals), but GitHub's tooling isn't quite there yet. Go with option 1 for now. |
Beta Was this translation helpful? Give feedback.
-
|
🕒 Discussion Activity Reminder 🕒 This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions: 1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as 2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own. 3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution. Note: This dormant notification will only apply to Discussions with the Thank you for helping bring this Discussion to a resolution! 💬 |
Beta Was this translation helpful? Give feedback.
-
|
My question is still valid. No reply answered successfully my question. So the discussion is still relevant. We are blocked on this. |
Beta Was this translation helpful? Give feedback.
-
|
🕒 Discussion Activity Reminder 🕒 This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions: 1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as 2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own. 3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution. Note: This dormant notification will only apply to Discussions with the Thank you for helping bring this Discussion to a resolution! 💬 |
Beta Was this translation helpful? Give feedback.
-
|
My question is still valid. No reply answered successfully my question. So the discussion is still relevant. We are blocked on this. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Select Topic Area
Question
Body
With a ruleset like this (with "restrict creations" for all branches), the merge queue doesn't work:
Error:
Repository where I tested this: https://github.com/marco-test-org/merge-queue-test
Solution
Is it possible to add the merge queue as an option in the bypass list? So that the merge queue is authorized to create new branches.
Why do we need this?
We want to have some secrets restricted to an environment only available in the merge queue and the default branch.
However, this is not possible, because even if you use the branch pattern
gh-readonly-merge-queue/master/*, people with write access can still push to such branches.So we thought about restring branch creations completely for people with write access only, but in this case the merge queue doesn't work.
We need to give people write access because we want to enable them to approve PRs via the codeowners mechanism. But we don't want them to be able to push to branches that have access to CI secrets.
Alternative solution
forbid people to push to the branches
gh-readonly-merge-queue/*by defaultBeta Was this translation helpful? Give feedback.
All reactions