Disable admins to be able to push to protected branch

[huehnerlady]

Hi,

we use github on a daily basis. We are currently in the process to protect out master branches better and just allow very few people (like automated bots) to be able to push to master directly.

We found the branch protection rule Restrict who can push to matching branches.
This sounds exactly like what we want, BUT it seems to default to repository and organization administrators:

We could not find a possibility to JUST allow the bots to be able to push directly.
Is there a way to JUST allow the bots to push to the master branch without a pull request?

[KieranDevvs]

Create a branch rule and then disable the exclusion of admins on that rule.

[huehnerlady]

Hi,
Thanks for your quick answer @KieranDevvs.
I had thought of that, but when I enable this setting, there is still the point in the Restrict who... setting:

Is that maybe a bug then?

[KieranDevvs]

Hi,
Thanks for your quick answer @KieranDevvs.
I had thought of that, but when I enable this setting, there is still the point in the Restrict who... setting:

Is that maybe a bug then?

That's an option to allow an exception to the rule, i.e you may want a certain person or team to be able to push to the branches matched by the rule. Leaving this option blank means no one can.

[huehnerlady]

I tried it but we still cannot push directly in master. I know found out that IF that restriction is enabled, NOBODY can click the merge/squash/rebase button apart from these people. So it is definitely not the functionality we want.

Does anyone know how to enable JUST bots to be able to push into a branch directlz and others have to get approved PullRequests and passing status checks?

Looks like the same feature I am looking for. Being able to block push (git push) to a branch but no restrictions on pull requests merging.

Main reason, block accidental merges to master.
Secondary reason, encourage looking at the tests.

Anyone has found a solution for it?

[huehnerlady]

I found a workaround. In the branch protection rule you could tick the box "include admins".
IF an admin needs to merge a branch without it being reviewed, the admin can temporarily remove that flag and do the merge. But then accidental merges to master cannot happen

I found that a bit tedious, but we merge PRs so rarely without approval that the advantage of not pushing to master by mistakes overweights the little hustle in merging without approval :)

Thanks, though not the work around I was looking for. :)

I just wish, i could have the limit on git push without the limit of pr merge(without second persons approval). That change I wouldn't need to sell in to the teams, I could just do it

[huehnerlady]

yes me too :)
But this is about the fact that you cannot restrict direct push to people without opening it up to admins

[athkalia]

What is needed is another option: Bypass branch protection rules for users then we can select github ids from a list. This is so that we only add the jenkins bot there, as unticking the include administrators option increases the risk of people pushing by accident to the branch.

[huehnerlady]

What is needed is another option: Bypass branch protection rules for users then we can select github ids from a list. This is so that we only add the jenkins bot there, as unticking the include administrators option increases the risk of people pushing by accident to the branch.

well that is exactly what this option is - this option allows github users - e.g. bots - to push directly to the branch without any review. BUT it always allows admins to do something too. So for me it looks like that should be an option which you should at least be able to disable

[levimatheri]

I'm setting this up for our team too. I decided to just create a machineuser which will have a kind of super-admin role and will be the only account used to force pushes