Ask Before Bypassing Rule Violations

[ben-goldstein]

Select Topic Area

Product Feedback

Body

I don't think I've seen this anywhere else, so please point me in the right direction if I missed it.

Scenario: you have permissions to bypass branching rules for the master branch. On the master branch, you make a local change and push to the remote. Currently, you get a message saying something like: Bypassed rule violations for refs/heads/master: Changes must be made through a pull request. Your changes are applied.

I like that you get a message. It would be great to take it a step further and ask for permission before bypassing rules. Using the example above, after the git push command, a response like You will bypass the following rules: ... Are you sure you want to continue? would be great.

As far as I'm aware, the branch protection rules are not something that can be pulled from the remote. If that were the case, it would be reasonable to build this into IDEs or as a git hook.

[jdevfullstack]

not very sure but here is the suggestion of Copilot,

---

You're correct that Git itself does not provide a built-in mechanism for enforcing branch protection rules on the client side. These rules are enforced on the server side by services like GitHub, GitLab, Bitbucket, etc.

However, you can achieve a similar effect using pre-push Git hooks. A pre-push hook script runs on your local machine before a git push operation is executed. If the script exits with a non-zero status, the git push operation will be aborted.

Here's a simple example of a pre-push hook that asks for confirmation before pushing to the master branch:

#!/bin/bash

protected_branch='master'
current_branch=$(git symbolic-ref HEAD | sed -e 's,.*/\(.*\),\1,')

if [ $protected_branch = $current_branch ]
then
    read -p "You're about to push to $protected_branch, are you sure? (y/n) " -n 1 -r < /dev/tty
    echo
    if echo $REPLY | grep -E '^[Yy]$' > /dev/null
    then
        exit 0 # push will execute
    fi
    exit 1 # push will not execute
else
    exit 0 # push will execute
fi

To use this script, you would need to put it in the .git/hooks directory of your repository and name it pre-push. You also need to make sure it's executable (chmod +x .git/hooks/pre-push).

Please note that this is a very basic script and does not cover all possible scenarios. For example, it does not handle the case where you're pushing a different local branch to the remote master branch. You would need to modify the script to handle such cases according to your needs.

Also, this script does not enforce the branch protection rules defined on the server. It simply asks for confirmation before pushing to master. If you want to enforce the same rules on the client side, you would need to implement these rules in your pre-push hook script.

[ben-goldstein]

Unfortunately, this doesn't really meet what I want to do. Managing two sources of branch protection rules is doomed to become inconsistent, especially if one of the sources lives under the .git directory, which won't be checked into source control. To make something like a pre-commit hook viable, we would need either a) a way to push these rules as code with our codebase or b) a way to pull the rules in from GitHub. Either way, the "source of truth" for our rules needs to be in one place and accessible

[Antiz96]

I also think such a feature would be great (at least I'd be interested in it 😄).

While you can already select who can bypass branch protection rules, you cannot ensure that they did not bypassed them by mistake.
I'd like to give the possibility to bypass branch protection rules to some people but still making sure they do it intentionally when needed (as I want such bypasses to only be done for required "emergencies").
Unfortunately, without any sort of explicit confirmation (like it's currently the case), there's too much room for "unintentional" pushes (e.g. you forgot to create a feature branch/you're not realizing you're working on the main branch locally before pushing). Therefore, I personally decided to enforce protection rules for everyone and manually allow bypassing temporarily when I explicitly need to (and, hopefully, don't forget to re-enforce them afterwards), which is clearly not ideal. 😅

All of this to say that I support this idea of having the possibility to ask for an explicit confirmation before bypassing branch protection rules (or any other way to make sure this is done intentionally, e.g. only allow force pushes to bypass protection rules). 👍

[patrick-knight]

👋 Way late to the party here.

Getting an approval flow inline is good feedback, but I'm not sure it's something we'll get to right now.

There is an option in ruleset to allow bypasses only in a PR. So the CLI would block on rule violations, unless you are pushing to an unprotected branch and then you can merge the PR bypassing all the requirements.

We're also thinking about how we expand the delegated bypass scenarios from push rules for PR scenarios, but don't have an ETA for that.