Fatskills
Practice. Master. Repeat.
Study Guide: TECH **Git & GitHub: Protecting Branches (Require Approvals, Status Checks) – Zero-Fluff Study Guide**
Source: https://www.fatskills.com/web-development/chapter/tech-git-github-protecting-branches-require-approvals-status-checks-zero-fluff-study-guide

TECH **Git & GitHub: Protecting Branches (Require Approvals, Status Checks) – Zero-Fluff Study Guide**

By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.

⏱️ ~6 min read

Git & GitHub: Protecting Branches (Require Approvals, Status Checks) – Zero-Fluff Study Guide


1. What This Is & Why It Matters

What it is:
Branch protection rules in GitHub let you enforce policies on who can push to a branch, require pull request (PR) approvals, and mandate status checks (like CI tests) before merging. Think of it as a bouncer at a nightclub—only certain people get in, and they must meet the dress code (status checks) and have a VIP pass (approvals).

Why it matters in production:
- Prevents broken deployments: If main is protected, no one can force-push or merge untested code.
- Enforces code review: Requires at least one approval before merging, reducing bugs and security flaws.
- Blocks bad merges: Status checks (e.g., CI tests, security scans) must pass before merging.
- Compliance & audit trails: Mandatory approvals create a paper trail for regulatory requirements (e.g., SOC 2, HIPAA).

Real-world scenario:
You’re a DevOps engineer at a fintech startup. A junior dev accidentally force-pushes to main, breaking the production API. Without branch protection, this could take hours to fix. With protection, GitHub blocks the push and forces a PR with approvals and passing tests.


2. Core Concepts & Components

Term Definition Production Insight
Branch protection rule A GitHub setting that enforces policies on a branch (e.g., main, prod). If you don’t protect main, a single git push --force can wipe out history.
Required approvals A PR must be approved by at least N reviewers before merging. Set N=2 for critical repos (e.g., payment systems).
Dismiss stale approvals Automatically removes approvals if new commits are pushed. Prevents "rubber-stamping" PRs without re-review.
Require status checks to pass PRs can’t merge unless CI tests (e.g., GitHub Actions, CircleCI) pass. If tests fail, the merge button is disabled.
Require branches to be up to date PRs must merge the latest main before merging. Prevents merge conflicts and ensures tests run on latest code.
Restrict who can push Only certain users/teams can push to a protected branch. Useful for prod branches where only senior devs should merge.
Require signed commits Commits must be GPG-signed to merge. Prevents impersonation attacks (e.g., someone pushing as "you").
Require linear history Blocks merge commits, enforcing a clean, linear history. Makes git bisect easier for debugging.
Include administrators Applies protection rules to repo admins (default: off). Prevents even admins from bypassing rules.


3. Step-by-Step: Protecting a Branch in GitHub


Prerequisites

  • A GitHub repo (public or private).
  • Admin or maintainer permissions on the repo.
  • A CI workflow (e.g., GitHub Actions) for status checks (optional but recommended).

Task: Protect the main branch with approvals and status checks

Step 1: Navigate to Branch Protection Settings

  1. Go to your repo on GitHub.
  2. Click SettingsBranches.
  3. Under Branch protection rules, click Add rule.
  4. In Branch name pattern, enter main (or prod, release/*, etc.).

Step 2: Enable Required Approvals

  • Check Require a pull request before merging.
  • Check Require approvals and set the number (e.g., 1 for small teams, 2 for critical repos).
  • (Optional) Check Dismiss stale pull request approvals when new commits are pushed.

Step 3: Enable Status Checks

  • Check Require status checks to pass before merging.
  • Under Status checks that are required, select your CI workflow (e.g., ci/tests if you have a GitHub Actions workflow named tests.yml).
  • (Optional) Check Require branches to be up to date before merging to prevent merge conflicts.

Step 4: Restrict Who Can Push (Optional)

  • Check Restrict who can push to matching branches.
  • Add teams/users (e.g., @my-org/devops-team).

Step 5: Save the Rule

  • Click Save changes.

Verification

  1. Try pushing directly to main:
    bash
    git checkout main
    echo "test" > test.txt
    git add test.txt
    git commit -m "Test direct push"
    git push origin main

    Expected output:
    ! [remote rejected] main -> main (protected branch hook declined)
    error: failed to push some refs to 'github.com/your-repo.git'
  2. Create a PR and try merging without approvals:
  3. The Merge button will be disabled.
  4. Approve the PR and wait for CI to pass:
  5. The Merge button will now be enabled.

4. ? Production-Ready Best Practices


Security

  • Require signed commits for main/prod branches to prevent impersonation.
  • Restrict push access to senior devs/DevOps for critical branches.
  • Enable "Include administrators" to prevent even admins from bypassing rules.

Cost Optimization

  • Skip status checks for draft PRs (GitHub Actions has a github.event.pull_request.draft condition).
  • Use branch protection rules instead of manual reviews to reduce human error.

Reliability & Maintainability

  • Enforce linear history (git rebase instead of git merge) for cleaner debugging.
  • Use branch naming conventions (e.g., feature/*, hotfix/*) and protect them.
  • Tag releases (v1.0.0) and protect tags to prevent accidental deletion.

Observability

  • Monitor branch protection violations (GitHub Audit Log).
  • Set up alerts for failed status checks (e.g., Slack notifications).


5. ⚠️ Common Mistakes & Traps

Mistake Symptom Fix/Prevention
Not requiring status checks Broken code merges into main. Always require CI tests before merging.
Allowing admins to bypass rules Admins force-push to main. Enable Include administrators.
Not dismissing stale approvals PRs get merged without re-review after new commits. Enable Dismiss stale approvals.
Not restricting push access Junior devs push directly to prod. Restrict push access to senior devs.
Forgetting to update branch protection after CI changes New CI workflows aren’t required. Audit branch protection rules after CI changes.


6. ? Exam/Certification Focus


Typical Question Patterns

  1. "Which setting prevents force-pushes to main?
  2. Branch protection rule with "Restrict force pushes" enabled.
  3. ❌ "Git hooks" (not enforced on GitHub).

  4. "How do you enforce at least 2 approvals before merging?"

  5. Set "Require approvals" to 2 in branch protection.
  6. ❌ "Use CODEOWNERS" (only suggests reviewers, doesn’t enforce count).

  7. "What happens if a PR has 1 approval but CI fails?"

  8. Merge button is disabled.
  9. ❌ "It merges anyway" (only if status checks are not required).

Key ⚠️ Trap Distinctions

  • CODEOWNERS vs. Required Approvals:
  • CODEOWNERS suggests reviewers but doesn’t enforce approvals.
  • Branch protection enforces approvals.
  • Status Checks vs. Required Reviews:
  • Status checks = CI tests must pass.
  • Required reviews = humans must approve.


7. ? Hands-On Challenge

Challenge:
Protect the dev branch in a repo so that: 1. PRs require 1 approval.
2. CI tests must pass.
3. Only @my-org/dev-team can push to dev.

Solution:
1. Go to Settings → Branches → Add rule.
2. Set Branch name pattern to dev.
3. Enable:
- Require a pull request before merging
- Require approvals (1)
- Require status checks to pass (select your CI workflow)
- Restrict who can push (add @my-org/dev-team) 4. Save.

Why it works:
- GitHub enforces all selected rules before allowing merges.


8. ? Rapid-Reference Crib Sheet

Action Command/Config Notes
Protect a branch GitHub Settings → Branches → Add rule Requires admin permissions.
Require approvals Check Require approvals (set count) ⚠️ Default: 1 approval.
Require status checks Check Require status checks Must select CI workflow.
Restrict push access Check Restrict who can push Add teams/users.
Enforce linear history Check Require linear history Blocks merge commits.
Include admins Check Include administrators ⚠️ Off by default.
Dismiss stale approvals Check Dismiss stale approvals Prevents rubber-stamping.
Require signed commits Check Require signed commits Uses GPG.
Verify protection git push origin main (should fail) Tests if branch is protected.


9. ? Where to Go Next


Final Tip:
Branch protection is your last line of defense against broken deployments. Treat it like a seatbelt—you hope you never need it, but when you do, it saves lives. ?



ADVERTISEMENT