2.6 KiB
2.6 KiB
分支保护规则配置
以下规则需要在 GitHub 仓库设置界面手动配置,或通过 Terraform/Ansible 等基础设施即代码工具自动化。
main 分支保护规则
路径:Settings → Branches → Branch protection rules → Add rule
必填项
| 配置项 | 值 | 说明 |
|---|---|---|
| Branch name pattern | main |
匹配 main 分支 |
| Protect matching branches | ✅ 启用 | 开启分支保护 |
| Require pull request reviews | ✅ 要求 | 合并前至少 1 人 review |
| Require approvals | 1 |
最少审批数量 |
| Dismiss stale approvals | ✅ 启用 | PR 更新后需重新审批 |
| Require review from Code Owners | ☐ 可选 | 建议开启 |
| Require status checks to pass before merging | ✅ 要求 | 必须通过 CI |
| Required status checks | rust-check, rust-test, frontend-check |
CI job 名称 |
| Require branches to be up to date before merging | ☐ 可选 | 建议不启用,避免复杂 |
| Do not allow bypassing the above settings | ✅ 启用 | 即使 admin 不能绕过 |
安全设置
| 配置项 | 值 |
|---|---|
| Lock branch | ☐ 可选(不勾选,CI 仍可推送) |
| Allow force pushes | ☐ 禁用(禁止 force push) |
| Allow deletions | ☐ 禁用(禁止删除分支) |
develop 分支保护规则
路径:Settings → Branches → Branch protection rules → Add rule
| 配置项 | 值 |
|---|---|
| Branch name pattern | develop |
| Protect matching branches | ✅ 启用 |
| Require pull request reviews | ✅ 要求 |
| Require approvals | 1 |
| Dismiss stale approvals | ✅ 启用 |
| Require status checks to pass before merging | ✅ 要求 |
| Required status checks | rust-check, rust-test, frontend-check |
| Do not allow bypassing | ✅ 启用 |
| Allow force pushes | ☐ 禁用 |
自动清理已合并分支
建议安装 GitHub App Branch Clean Up 或在 PR 合并后自动删除源分支:
- Settings → General → Automatically delete head branches → ✅ 启用
使用 GitHub CLI 配置(自动化)
如果需要通过代码自动化配置,可以使用 gh CLI:
# 安装 gh
brew install gh
# 登录
gh auth login
# 创建 branch protection rule for main
gh api repos/{owner}/{repo}/branches/main/protection -X PUT \
-f required_status_checks='{"strict":true,"contexts":["rust-check","rust-test","frontend-check"]}' \
-f enforce_admins=true \
-f required_pull_request_reviews='{"required_approving_review_count":1,"dismiss_stale_reviews":true}' \
-f allow_force_pushes=false