Consider stronger branch protection for main #745
Description
Request criteria
- I searched the zppy GitHub Discussions to find a similar question and didn't find it.
- I searched the zppy documentation.
- This issue does not match the other templates (i.e., it is not a bug report, documentation request, feature request, or a question.)
Issue description
Currently, if collaborators have write-access to the repo, so they can add commits to shared branches, then they also have the ability to merge pull requests into main.
If we select Require approvals, then no matter what, at least 1 approval will be required. We have tried this option in the past, but it is a blocker when a small PR needs to be merged and another reviewer is not available (the PR author is never allowed to approve).
Claude suggested "Create .github/CODEOWNERS with: * @your-username to specify who is allowed to approve in the first place, but noted even valid approvers wouldn't be able to approve their own PR.
Finally Claude said:
Paid GitHub plan feature: "Limit who can merge pull requests" - directly restricts the merge button to specific people
Given that constraint, it seems our options are:
- Only give write access to the core development team and make everyone else work on forks. That was our original development model years ago, but if I recall correctly, people found forks difficult to work with.
- Always require approvals and accept that some very small PRs will be blocked from merging until someone else can take a look at them.
- The paid version feature where we can grant explicit "merge PR" permissions.