GIT-005 critical branch-protection

Branch protections configured

Protected branches with PR requirements, no force push, and documented admin bypass

Question to ask

"Could an engineer force-push to main right now?"

Verification guide

Severity: Critical

Check via GitHub API:

  1. Check if branches are protected (works with any repo access):

    gh api repos/{owner}/{repo}/branches/main --jq '.protected'
gh api repos/{owner}/{repo}/branches/staging --jq '.protected'

  2. Get full protection details (requires admin access):

    gh api repos/{owner}/{repo}/branches/main/protection --jq '{
  force_pushes_blocked: (.allow_force_pushes.enabled == false),
  enforce_admins: .enforce_admins.enabled,
  required_approvals: .required_pull_request_reviews.required_approving_review_count,
  dismiss_stale_reviews: .required_pull_request_reviews.dismiss_stale_reviews,
  has_push_restrictions: (.restrictions != null)
}'

Note: 404 response means either no protection rules exist OR no permission to view.

Pass criteria:

  • main/master branch is protected
  • staging branch is protected (if exists)
  • Force pushes blocked (allow_force_pushes.enabled: false)
  • PRs require at least 1 approval (required_approving_review_count >= 1)
  • enforce_admins.enabled: true (admins can't bypass) - or documented exception with plan to disable

If no admin access: Ask user: "Branch shows as protected but I can't see details. Please confirm:

  • Force pushes are disabled
  • Direct pushes require PRs
  • At least 1 approval required on PRs
  • Admin bypass status (enabled/disabled, if enabled is there a plan to disable?)"

Evidence to capture:

  • protected: true/false for each branch
  • Full protection config if accessible
  • Number of required approvals
  • Admin bypass status and justification if enabled

Section

01. Git Repo Setup & Security

Infrastructure & Setup

← Previous

GIT-003

Graceful failure with clear warnings

 Next →

GIT-006

Clean branch structure