Preventing direct pushes and ensuring changes happen through pull requests
TypeScriptTo prevent direct pushes and ensure that changes happen through pull requests, you might want to set up branch protection rules in your version control system. Branch protection rules help to enforce certain workflows, such as requiring pull requests before changes are merged into protected branches.
If you're using GitHub as your version control system, you can use Pulumi with the GitHub provider to programmatically set up these branch protection rules. Below, I'll show you how to write a Pulumi program in TypeScript that creates branch protection rules for a repository, assuming that the repository already exists.
In this program, we'll be using the
github.BranchProtection
resource from the GitHub provider to enforce that all changes to themain
branch can only occur through pull requests with required reviews.Here's how you could set up branch protection in GitHub using Pulumi:
import * as pulumi from "@pulumi/pulumi"; import * as github from "@pulumi/github"; const repoName = "example-repo"; // replace with your repository name const branchProtection = new github.BranchProtection("mainBranchProtection", { // The GitHub repository to attach the branch protection rule to repository: repoName, // The name of the branch to protect branch: "main", // Enforce all configured restrictions for administrators as well enforceAdmins: true, // Require at least one review on a pull request before merging requiredPullRequestReviews: { // Number of required approving reviews requiredApprovingReviewCount: 1, // Dismiss stale reviews automatically when new commits are pushed dismissStaleReviews: true, }, // Disable force pushes to the protected branch restrictions: null, // This should be set as per your organization's needs }); // Export the name of the branch protection rule export const branchProtectionRuleName = branchProtection.branch;
In this Pulumi program, we're creating
BranchProtection
rules bound to a specific repository (example-repo
) and branch (main
). The rules we're enforcing include:enforceAdmins
: If set to true, the rules apply to repository admins as well.requiredPullRequestReviews
: This section includes sub-properties such as:requiredApprovingReviewCount
: The number of approvals needed to satisfy the requirement (set to 1 in this example).dismissStaleReviews
: Indicating that reviews are dismissed when new changes are pushed.
The
restrictions
field is set tonull
, which means there are no restrictions on who can push to the branch. This can be adjusted to specify which users or teams can push to the protected branch, effectively limiting direct pushes and enforcing a pull request workflow.Lastly, we're exporting the name of the branch protection rule so it can be easily referenced if needed.
To apply this Pulumi program, make sure you have Pulumi installed and configured with the appropriate access tokens to interact with GitHub. Save this TypeScript code to a file named
index.ts
and runpulumi up
to deploy the changes. This will set the branch protection rules in your repository, helping to ensure a pull request-based workflow.