# 分支保护规则配置 以下规则需要在 GitHub 仓库设置界面手动配置,或通过 Terraform/Ansible 等基础设施即代码工具自动化。 ## main 分支保护规则 路径:**Settings → Branches → Branch protection rules → Add rule** ### 必填项 | 配置项 | 值 | 说明 | |--------|-----|------| | Branch name pattern | `main` | 匹配 main 分支 | | Protect matching branches | ✅ 启用 | 开启分支保护 | | **Require pull request reviews** | ✅ 要求 | 合并前至少 1 人 review | | **Require approvals** | `1` | 最少审批数量 | | Dismiss stale approvals | ✅ 启用 | PR 更新后需重新审批 | | Require review from Code Owners | ☐ 可选 | 建议开启 | | **Require status checks to pass before merging** | ✅ 要求 | 必须通过 CI | | Required status checks | `rust-check`, `rust-test`, `frontend-check` | CI job 名称 | | **Require branches to be up to date before merging** | ☐ 可选 | 建议不启用,避免复杂 | | Do not allow bypassing the above settings | ✅ 启用 | 即使 admin 不能绕过 | ### 安全设置 | 配置项 | 值 | |--------|-----| | Lock branch | ☐ 可选(不勾选,CI 仍可推送) | | Allow force pushes | ☐ 禁用(禁止 force push) | | Allow deletions | ☐ 禁用(禁止删除分支) | ## develop 分支保护规则 路径:**Settings → Branches → Branch protection rules → Add rule** | 配置项 | 值 | |--------|-----| | Branch name pattern | `develop` | | Protect matching branches | ✅ 启用 | | Require pull request reviews | ✅ 要求 | | Require approvals | `1` | | Dismiss stale approvals | ✅ 启用 | | Require status checks to pass before merging | ✅ 要求 | | Required status checks | `rust-check`, `rust-test`, `frontend-check` | | Do not allow bypassing | ✅ 启用 | | Allow force pushes | ☐ 禁用 | ## 自动清理已合并分支 建议安装 GitHub App [Branch Clean Up](https://github.com/apps/branch-cleanup) 或在 PR 合并后自动删除源分支: - **Settings → General → Automatically delete head branches** → ✅ 启用 ## 使用 GitHub CLI 配置(自动化) 如果需要通过代码自动化配置,可以使用 `gh` CLI: ```bash # 安装 gh brew install gh # 登录 gh auth login # 创建 branch protection rule for main gh api repos/{owner}/{repo}/branches/main/protection -X PUT \ -f required_status_checks='{"strict":true,"contexts":["rust-check","rust-test","frontend-check"]}' \ -f enforce_admins=true \ -f required_pull_request_reviews='{"required_approving_review_count":1,"dismiss_stale_reviews":true}' \ -f allow_force_pushes=false ```