Prevent deployment when the target branch is not the default branch

Question

Prevent deployment when the target branch is not the default branch

GrantBirki opened this issue 9 months ago · 6 comments

Currently, you are able to open a pull request that is targeting a branch other than the default (i.e. main) and you can deploy that branch while bypassing branch protection rules.

For example, you might have a branch protection rule on main that says a PR must be approved before it can be deployed. If you simply open a PR that targets a branch other than main, you would be able to deploy those changes without an approval.

Example:

gitGraph
    commit
    commit
    branch develop
    checkout develop
    commit
    commit
    branch bug-fix
    commit id: "fix error" type: HIGHLIGHT

In this example, you could not deploy any of the commits from the develop branch as they are trying to merge into the main branch which has a branch protection rule requiring passing CI, approvals, etc. However, if you open a PR from the bug-fix branch, you could .deploy the fix error commit without issues since it is not targeting a branch with branch protection (or rulesets).

This is a bug and it should be resolved.

Answer 1 · 2025-01-21T09:52:30.000Z

HI @GrantBirki

We just ran into your "bug" but on our side its intended behavior that we allow deploying from these branches to specific environments. Is there a setting to disable this error?

Answer 2 · 2025-01-21T17:33:53.000Z

@S3bb1 would you be able to go into more details around how/why you are using this deployment pattern?

Being able to bypass checks, approvals, and branch protection settings is considered very dangerous.

There is currently not a way to disable the safety checks that I added but that could be changed.

Answer 3 · 2025-01-22T12:37:50.000Z

Hi @GrantBirki

assume we have a private package and working atm on the main branch, but also have a second branch which will act as a bigger feature release.

Now we create PRs which point towards the "bigger feature" branch and want to deploy these PRs to specific development environments.

There is also a bigger DRAFT PR which points back to main from the "bigger feature" branch. This was opened now to be able to deploy to the dev instances, after a PR of the "bigger feature" was merged.

Answer 4 · 2025-01-22T17:54:40.000Z

@S3bb1 Do you have some sort of branch protections or rulesets applied to these "bigger feature" branches? If so, then that would make your workflow a lot more "safe".

Either way, I will look into making an opt-out option for your use case today as I did not indent on this initial change to be breaking in this way for folks.

Answer 5 · 2025-01-22T18:27:13.000Z

We have rulesets applied there :)
No hurry with that config, my initial question was just if I can opt out there 👍 we have now a solution which works for our needs at the moment.

Thank you in general for your time and efforts on this project.

Answer 6 · 2025-01-22T21:56:12.000Z

@S3bb1 I have merged #361 which contains changes to disable the logic that is blocking your team.

The latest pre-release is available as well: v10.2.0.

Please go ahead and test it out and let me know if it works for you. Thanks!