Restrict push access to organization repo master branch


(Brian Simpson) #1

Hi all,

I’m a fairly new Git and GitHub user. I teach an AP Computer Science A class and I’d like to start integrating git and github into my class. I think i’m going to use GitHub Classroom for lab assignments, and I understand how that will work. But, I have another problem.

I want to use a repo in my organization to hold code which I use during our “notes” days. The organization i’m using is the one GitHub Classroom is also using (if that matters). This code is just for demonstration purposes and I want students to be able to mess around with it locally, but I don’t want them to be able to push their changes back to the repo. Ideally I think I want a day to look like this:

  1. before class I finish my code for the day and commit changes/push to the remote organization repo named Notes.
  2. Students get into the habit of logging in to computers and immediately doing a git pull of that remote repo at the beginning of class
  3. we have class … and even if students commit their changes and then TRY to push (even if I tell them not to), I’d like it to not work.

I though the solution was to turn on branch protections in the Organization Settings, and I thought the exact setting which would stop this was Restrict Who Can Push to Matching Branches… But I enabled that and I added only my account, then I tested it with a second unconnected account and that second account can still push changes to the master branch of my Notes repo.

How do I fix this?


(Ugo Pattacini) #2

Branch protection is a possible way and it works. Perhaps, by mistake, when you pretended to be a different user you were still using the first git credentials. Do git config --list locally to check it out.

Anyway, using branch protection is definitely an overkill in this context. More simply, tune up who can have write access to your repository from the settings panel.

Students should have only read access, instead.


(Brian Simpson) #3

Thanks for your reply! I also thought maybe I was still using my original git credentials, so I did a fresh install of git on an old laptop, and I only ever typed in my second account’s info.

I have the Base Permissions under Member Privileges in Settings for the organization set to Base. As an external user (not a member of the organization), I cloned a public repo from the organization, then I made a change and commited, then I was still able to push it to the server. Is this allowed because Organization Base Permissions do not apply to external collaborators?

I suppose I should just use a private repo for this purpose, but i’m still waiting on the education discount to be approved.


(Ugo Pattacini) #4

A private repository is not the way to go if you aim to let developers/students freely clone your code.
You might find this collection of posts on the topic quite useful.