13

I am looking for a way via GitHub (or CircleCI) settings to prevent the person who opens or commits to a pull request from being able to merge or approve that pull request.

So far I have the protection of a branch that requires approvals but post-approval I as PR creator and committer I still able to merge.

TylerH
  • 20,799
  • 66
  • 75
  • 101
bensiu
  • 24,660
  • 56
  • 77
  • 117
  • You cannot fix this with a CI system because it doesn't get called when an attempt to merge happens. The only way you can control who performs once the PR is approved and meets all checks is to let only a robot do it. – bk2204 Jul 02 '20 at 00:50

3 Answers3

15

You need to be able to

prevent the person that is involved in PR (create PR or make a commit) to be able to merge PR (or even approve it)

A contributor who has created a PR cannot approve or request changes by default in GitHub, so that is already taken care of.

Since a Pull Request is a GitHub feature, a PR merge can currently only be blocked by 2 ways

  • Using GitHub's settings
  • Using pre-receive hooks (only for GitHub Enterprise)

Using GitHub's settings, you can only block merging by requiring either pull request reviews, status checks to pass, signed commits or linear history as shown under the branch protection settings.

enter image description here

or by allowing merge commits, squash merging or rebase merging as shown in the Merge button section under repo settings

enter image description here

If you are on GitHub Enterprise, you can use a pre-receive hook (documentation) like below and ensure that self merging PRs are blocked (This eg is here)

if [[ "$GITHUB_VIA" = *"merge"* ]] && [[ "$GITHUB_PULL_REQUEST_AUTHOR_LOGIN" = "$GITHUB_USER_LOGIN" ]]; then
    echo "Blocking merging of your own pull request."
    exit 1
fi

exit 0

Apart from the above, there is no other way currently to block self merging PRs on GitHub. And using CircleCI or any other CI workflow can only block merging for everybody(if you opt for the requirement of status checks on GitHub) or nobody, as it can't control the PR merge button.

Madhu Bhat
  • 13,559
  • 2
  • 38
  • 54
3

The short answer is no.

GitHub supports enabling master branch protection. This can help you enforce all kinds of rules like:

  • All PRs must have a code review before being merged
  • The reviewers of the code need to be an admin
  • The reviewers of the code need to be in a CODEOWNERS file
  • A subset of status checks all need to pass

For all of these rules, the assumption is that once they've been satisfied, anyone with write access to the repository can merge the PR. I'm curious - in what situation do you want to prevent that?

Now onto the bad ideas. If this was super important - you could take the drastic step of ensuring no human is responsible for merging PRs. You could add a codeowner that is mapped to a robot account, ensuring that robot account performs an approval before the PR can merge. To that end, you could write logic in a custom GitHub action that's triggered on PR events to determine if the PR should be merged, and auto-merge it if all appropriate conditions are met.

TylerH
  • 20,799
  • 66
  • 75
  • 101
Justin Beckwith
  • 7,686
  • 1
  • 33
  • 55
  • 1
    I do not looking for automatic approval (or robots) - I looking to prevent merge by person who commit, and approve by person who commit. It si intended to flow principals: Do not approve own comics, do not merge own comits – bensiu Jun 29 '20 at 14:43
  • I guess what I'm saying is - that's where approvals come in. GitHub assumes that as long as someone else who is *not* the author signs off, the commit is good to be merged by anyone who has write access. – Justin Beckwith Jun 29 '20 at 16:38
  • @JustinBeckwith the reason I'm looking for this functionality is we have a requirement that all of our commits be signed by a member of our company. If you do the merge via GitHub's web UI, it uses its own GPG key to sign the commits. That means the only way is to do it from the command line so that your local GPG agent provides your key. That's why I want to make it impossible to merge via the GitHub UI. – Jamie Apr 27 '23 at 00:45
1

I've built an Action to provide this; should work on GitHub.com, GHEC, and GHES: https://github.com/marketplace/actions/dismiss-code-reviews-from-collaborators

As always, Issues & PRs are welcomed: https://github.com/peckjon/reject-pr-approval-from-committer

Jon Peck
  • 86
  • 4