Maintaining Coding Standards with GitHub Protected Branches
PythonMaintaining coding standards is crucial for a team working on a project, and one way to enforce these standards in a GitHub repository is to set up protected branches. Protected branches ensure that certain conditions are met before code can be merged into the main branch, usually called
main
ormaster
.In Pulumi, we can automate the setup of protected branches using the
pulumi_github
package, which provides resources to interact with GitHub repositories. Below, we'll create a simple Pulumi program with Python that sets up a protected branch for a given repository.The primary resource we will use is
BranchProtection
, which manages the protection settings of a branch. The branch protection rules we will define include the need for pull request reviews before merging, a signature requirement for commits, enforcement of the rules on repository administrators, and preventing force-pushes and deletions.Here's how you can use Pulumi with Python to enforce these protections on your GitHub repository's main branch:
import pulumi import pulumi_github as github # Replace these variables with your own repository and branch names repo_name = "my-awesome-repo" branch_name = "main" # Instantiate a GitHub repository. repo = github.Repository("repo", name=repo_name, description="Your repository description here", # Make sure this repository is already initialized or created manually # Alternatively, you can use the `auto_init` parameter to create a new repository # auto_init=True, ) # Apply branch protection rules to the 'main' branch of the specified repository. branch_protection = github.BranchProtection("main-branch-protection", repository_id=repo.node_id, pattern=branch_name, enforce_admins=True, allows_deletions=False, allows_force_pushes=False, require_signed_commits=True, required_linear_history=True, required_status_checks=github.BranchProtectionRequiredStatusCheckArgs( strict=True, contexts=["ci/travis-ci"] ), required_pull_request_reviews=github.BranchProtectionRequiredPullRequestReviewArgs( require_code_owner_reviews=True, required_approving_review_count=2 # Number of required approvals can be set as per requirement ) ) # Export the full repo name and the URL to access it pulumi.export("repo_full_name", repo.full_name) pulumi.export("repo_url", pulumi.Output.concat("https://github.com/", repo.full_name))
In this program:
- We first import the necessary Pulumi and GitHub provider packages.
- We specify the repository name and the branch we want to protect.
- We use the
github.Repository
resource to reference an existing repository by its name; we assume it is already created. - We then use the
github.BranchProtection
resource to enforce branch protection rules on the "main" branch. - We set
enforce_admins
toTrue
to enforce these rules on repository administrators. - We set
allows_deletions
andallows_force_pushes
toFalse
to prevent branch deletions and force-pushes, respectively. - We enable
require_signed_commits
andrequired_linear_history
to mandate signed commits and a linear commit history. - We define
required_status_checks
with the name of the required status check context, such as a CI service like Travis CI. - We define
required_pull_request_reviews
with the number of required approving reviews and mandate reviews from code owners.
To execute this program, you'll need to have Pulumi installed and the GitHub provider configured with your GitHub token.
After the program is run:
- The URL to access the repository will be exported as
repo_url
. - The full repository name will be exported as
repo_full_name
.
Please review the in-line comments for details on each step. This program sets up a robust process for code review and integrates with CI/CD systems, ensuring that only thoroughly reviewed and tested code makes it into your main branch.
For more information about the properties you can configure, check out the BranchProtection documentation on the Pulumi website.