This document outlines the recommended GitHub branch protection rules to enforce the QC Plan requirements.
-
Require a pull request before merging
- ✅ Enable
- Minimum number of reviewers: 1
- Dismiss stale pull request approvals when new commits are pushed: Enabled
- Require review from Code Owners: Enabled (if CODEOWNERS file exists)
-
Require approvals
- ✅ Enable
- Required number of approvals: 1
- Dismiss stale pull request approvals when new commits are pushed: Enabled
-
Require status checks to pass before merging
- ✅ Enable
- Required status checks:
🔧 DevOps Checklist (Required)⚠️ REQUIRED - Blocks merge until all DevOps items passcommit-lint(Semantic Commits)docs-required(Documentation Required)linter(Semgrep Rules)precommit(Pre-Commit)e2e-tests(E2E Tests)staging-deployment(Staging Deployment)
- Require branches to be up to date before merging: Enabled
Important: The
🔧 DevOps Checklist (Required)check is automatically created by the DevOps Checklist Bot and must be required to block merges. See DevOps Branch Protection for details. -
Require conversation resolution before merging
- ✅ Enable
-
Require signed commits
⚠️ Optional (recommended for production)
-
Require linear history
⚠️ Optional (recommended for clean history)
-
Include administrators
⚠️ Set based on your team's policy
-
Require a pull request before merging
- ✅ Enable
- Minimum number of reviewers: 1
-
Require status checks to pass before merging
- ✅ Enable
- Required status checks:
🔧 DevOps Checklist (Required)⚠️ REQUIREDcommit-lintdocs-requiredlinterprecommit
- Require branches to be up to date before merging: Enabled
-
Require conversation resolution before merging
- ✅ Enable
- Go to your repository on GitHub
- Navigate to Settings → Branches
- Click Add rule or edit existing rule
- Enter branch name pattern (e.g.,
main,master,develop) - Configure the settings as outlined above
- Click Create or Save changes
# Example: Protect main branch
curl -X PUT \
-H "Authorization: token YOUR_TOKEN" \
-H "Accept: application/vnd.github.v3+json" \
https://api.github.com/repos/OWNER/REPO/branches/main/protection \
-d '{
"required_status_checks": {
"strict": true,
"contexts": [
"🔧 DevOps Checklist (Required)",
"commit-lint",
"docs-required",
"linter",
"precommit",
"e2e-tests",
"staging-deployment"
]
},
"enforce_admins": false,
"required_pull_request_reviews": {
"dismissal_restrictions": {},
"dismiss_stale_reviews": true,
"require_code_owner_reviews": true,
"required_approving_review_count": 1
},
"restrictions": null,
"required_linear_history": false,
"allow_force_pushes": false,
"allow_deletions": false
}'resource "github_branch_protection" "main" {
repository_id = github_repository.repo.name
pattern = "main"
required_status_checks {
strict = true
contexts = [
"🔧 DevOps Checklist (Required)",
"commit-lint",
"docs-required",
"linter",
"precommit",
"e2e-tests",
"staging-deployment"
]
}
required_pull_request_reviews {
dismiss_stale_reviews = true
require_code_owner_reviews = true
required_approving_review_count = 1
}
enforce_admins = false
}Create a .github/CODEOWNERS file to define code owners for automatic review assignment:
# Global owners
* @team-lead @devops-lead
# Specific paths
/.github/ @devops-team
/e2e/ @qa-team
/docs/ @documentation-team
After configuring branch protection:
- Create a test PR targeting the protected branch
- Verify that:
- PR cannot be merged without approval
- PR cannot be merged if CI checks fail
- PR cannot be merged if there are unresolved conversations
- PR requires up-to-date branch
These branch protection rules ensure:
- ✅ Level 1.1: Code reviewed by at least one peer (enforced via required approvals)
- ✅ Level 1.2: All reviewer comments resolved (enforced via conversation resolution)
- ✅ Level 1.3: Coding standards followed (enforced via CI checks)
- ✅ Level 2.2: Test cases executed (enforced via E2E tests status check)
- ✅ Level 2.1: Deployed to staging (enforced via staging deployment check)
Note: These are recommendations. Adjust based on your team's specific needs and policies.
Powered by Dhwani RIS