Complete guide for setting up your GitHub repository with proper protections and workflows.
- Go to GitHub and create a new repository
- Name it:
webflow-university(or your preferred name) - Don't initialize with README, .gitignore, or license (you already have these)
- Copy the repository URL
# Edit package.json and add repository fieldUpdate package.json:
{
"name": "webflow-university",
"repository": {
"type": "git",
"url": "https://github.com/your-org/webflow-university.git"
},
...
}# Initialize git if not already done
git init
# Add remote
git remote add origin https://github.com/your-org/webflow-university.git
# Add all files
git add .
# Commit
git commit -m "chore: initial commit"
# Push to main
git branch -M main
git push -u origin mainSet these up immediately after your first push!
- Go to your repository on GitHub
- Click Settings → Branches
- Under "Branch protection rules", click Add rule
- In "Branch name pattern", enter:
main
1. Require a pull request before merging
- ✅ Check: "Require a pull request before merging"
- ✅ Check: "Require approvals" → Set to
1(or more for your team) - ✅ Check: "Dismiss stale pull request approvals when new commits are pushed"
- ✅ Check: "Require review from Code Owners" (if you set up CODEOWNERS)
2. Require status checks to pass before merging
- ✅ Check: "Require status checks to pass before merging"
- ✅ Check: "Require branches to be up to date before merging"
- ✅ Select these required checks:
lint-and-typecheck(from CI workflow)build(from CI workflow)
3. Require conversation resolution before merging
- ✅ Check: "Require conversation resolution before merging"
4. Do not allow bypassing the above settings
- ✅ Check: "Do not allow bypassing the above settings"
⚠️ Important: Uncheck "Allow specified actors to bypass required pull requests" unless you have a specific need
5. Restrict who can push to matching branches
- ✅ Check: "Restrict pushes that create matching branches"
- This prevents anyone from pushing directly to
main(even admins)
6. Allow force pushes
- ❌ Uncheck: "Allow force pushes" (default is unchecked, which is good)
7. Allow deletions
- ❌ Uncheck: "Allow deletions" (default is unchecked, which is good)
Your main branch should have:
- ✅ Require PR before merging
- ✅ Require 1+ approval
- ✅ Require CI checks to pass (
lint-and-typecheck,build) - ✅ Require branches to be up to date
- ✅ Require conversation resolution
- ✅ No bypassing allowed
- ✅ No direct pushes (restrict pushes)
- ❌ No force pushes
- ❌ No deletions
- Go to Settings → Actions → General
- Under "Workflow permissions":
- Select: "Read and write permissions"
- ✅ Check: "Allow GitHub Actions to create and approve pull requests"
- Click Save
- Read and write permissions: Needed for the release workflow to:
- Create git tags
- Create GitHub releases
- Push commits (for version PRs)
- Commit the
dist/folder
Create .github/CODEOWNERS to automatically request reviews:
# Require review for all changes
* @your-github-username
# Or require review from team
* @your-org/team-name
This ensures PRs automatically get assigned reviewers.
Try to push directly to main (should fail):
git checkout main
# Make a small change
echo "# test" >> TEST.md
git add TEST.md
git commit -m "test: direct push"
git push origin main
# Should be rejected!# Create a test branch
git checkout -b test/branch-protection
echo "# test" >> TEST.md
git add TEST.md
git commit -m "test: branch protection"
git push origin test/branch-protection
# Create PR on GitHub
# Verify:
# - CI runs automatically
# - You can't merge without approval (if you're the only reviewer)
# - You can't merge if CI fails# Create a changeset
pnpm changeset
# Select scripts, patch, write summary
git add .
git commit -m "test: changeset"
git push origin test/branch-protection
# After merging PR:
# - Version PR should be created automatically
# - You should need to approve it
# - After merging, release should be createdSolution:
- Make sure GitHub Actions is enabled
- Push a commit to trigger the workflow
- Check Actions tab to see if workflows are running
- Verify workflow files are in
.github/workflows/
Solution:
- Wait for CI to finish (usually 2-5 minutes)
- Check Actions tab for failed workflows
- Fix any linting/type errors
- Push a new commit to re-trigger CI
Solution:
- Check that "Read and write permissions" is enabled in Actions settings
- Verify GITHUB_TOKEN has proper permissions
- Check Actions logs for specific errors
Solution:
- Verify changeset file exists in
.changeset/directory - Check that changesets action has proper permissions
- Review Actions logs for errors
- Never commit secrets - Use GitHub Secrets for sensitive data
- Review all PRs - Even your own (or use CODEOWNERS)
- Keep dependencies updated - Run
pnpm updateregularly - Use branch protection - Prevents accidents
- Monitor Actions - Check for unexpected workflow runs
- Always work in branches - Never push directly to
main - Wait for CI - Don't merge until CI passes
- Create changesets - For any scripts package changes
- Review version PRs - Check version bumps are correct
- Don't bypass protections - Even if you can
- Review all PRs - Especially version PRs
- Monitor releases - Verify tags and releases are created correctly
- Keep workflows updated - Review and update GitHub Actions as needed
- ✅ Push your code to GitHub
- ✅ Set up branch protection (this guide)
- ✅ Enable GitHub Actions
- ✅ Create first changeset
- ✅ Test the full workflow with a small change
- ✅ Verify releases are created correctly
Before your first real deployment:
- Repository created on GitHub
- Code pushed to
main - Branch protection rules configured
- GitHub Actions enabled with write permissions
- CI workflow runs successfully
- Test PR workflow works
- Test changeset workflow works
- CODEOWNERS file created (optional)
- Team members added as collaborators
- Repository URL in
package.jsonupdated