How can I restrict a repo admin from creating or pushing to protected branches?

[andy-maier]

Select Topic Area

Question

Body

We are using GitHub Enterprise (with GitHub Enterprise Server 3.11.14), and I would like to protect branches (using wildcards, e.g. "dev-*") such that nobody can create a matching branch and nobody can push to an existing matching branch.

The protection I have in place works for non-admins, but not for admins. I want the restriction to apply also to admins.

Here are the relevant branch protection settings I have in place:

It seems that the "Organization admins, repo admins, ..." box there means that these people are always permitted to bypass the restrictions. Is that true?

How can I restrict these people as well?

[PhuyalGaurav]

I think you need to:

• Enable "Do not allow bypassing the above settings" in the branch protection rules (to ensure admins can't push or create matching branches).
• Create custom roles with specific permissions to limit admin control. (rather than granting full access to all admins)

[PhuyalGaurav]

By enabling the "do not allow bypassing the above setting" nobody, even admins, should be able to push to an existing matching branch.

[PhuyalGaurav]

But if you still want some admin functionality, you can create custom roles with specific permissions.

[andy-maier]

I do not know whether we have custom roles to change the default, but don't suspect so.

I did verify that as an admin, I can directly push to a protected branch and create a matching new branch, even when the "Do not allow bypassing the above settings" is enabled.

And if you take this statement as written, it only applies to the settings above, which does not include the settings below, i.e. the "Restrict who can push to matching branches" setting.

I can follow up with our GHE admins on the custom roles topic.

[PhuyalGaurav]

As far as my knowledge goes , "Do not allow bypassing the above settings", should stop even admins from directly pushing to a protected branch. I've even tried it myself.

[PhuyalGaurav]

Also check if this :

is enabled.