Stage 2 · Tools
Hooks & Automation
Protected Branches & CODEOWNERS
Require reviews, pass CI, and route reviews to the right team automatically.
Branch Protection Rules
Branch protection prevents direct pushes to important branches like main. Every change must go through a pull request with reviews and passing CI.
In GitHub, navigate to Settings → Branches → Add branch protection rule. The key settings are:
- Branch name pattern:
mainorrelease/* - Require a pull request before merging: forces the PR workflow
- Require approvals: set minimum reviewers (typically 1-2)
- Require status checks to pass: CI must pass before merge
- Require signed commits: only GPG/SSH-signed commits allowed
- Require linear history: no merge commits (enforces rebase or squash)
- Include administrators: rules apply to repo admins too
Set up branch protection as soon as you create the repo. Retroactively fixing a messy history is much harder than preventing one.
CODEOWNERS File
A CODEOWNERS file maps file paths to team members or teams who must review changes to those files. GitHub automatically requests reviews from the right people.
# Default owners for everything
* @platform-team
# Backend API changes
/src/api/ @backend-team
# Infrastructure changes
/terraform/ @devops-team
/docs/ @docs-team
# Security-sensitive files
*.lock @security-team
.Dockerfile @platform-team @security-teamEach line maps a file pattern to GitHub users or teams. The last matching pattern wins.
Only users with write permission to the repo can be added as code owners. If you reference a team, that team must have write access.
Required Reviews
When required reviews are enabled, a PR cannot be merged until the minimum number of approvals is met. Additional settings control the review process:
- Dismiss stale approvals: new pushes reset existing approvals (prevents approving outdated code)
- Require review from code owners: CODEOWNERS must approve their own files
- Restrict who can dismiss reviews: prevents authors from dismissing others' reviews
- Require conversation resolution: all comment threads must be marked resolved
# Protect main via API
curl -X PUT \
-H "Authorization: token $GITHUB_TOKEN" \
https://api.github.com/repos/OWNER/REPO/branches/main/protection \
-d '{
"required_pull_request_reviews": {
"required_approving_review_count": 2,
"dismiss_stale_reviews": true,
"require_code_owner_reviews": true
}
}'Automate branch protection setup with the GitHub API or Terraform.
Required Status Checks
Required checks ensure that CI pipelines pass before code can be merged. This catches bugs, linting issues, and security vulnerabilities before they reach main.
- Require branches to be up to date: must rebase on latest main before merge
- Status checks: specify which CI jobs must pass (e.g.,
test,lint,build) - Require conversation resolution: all threads must be resolved
name: CI
on: [pull_request]
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: '1.22'
- run: go test ./...
- run: go vet ./...
- run: gofmt -l .These job names become available as required status checks in branch protection.
Branch protection, reviews, and CI checks are not red tape. They are engineering quality systems that prevent bugs, share knowledge, and keep production stable.
Mark this lesson complete to store local progress and unlock a cleaner resume path the next time you visit.