A while back, when Github started adding branch protection rules, I wanted to make sure that not just anyone could try to make pull requests, merges, or push to remote origin on my public repositories. So I made sure at the very least to lock my main branch (or master with older repositories). That way it was “read only” for everyone except myself. Later, I even added this protection to private repositories in case if I temporarily made them public for whatever reason.

But I never remember getting any messages referring to these branch protection rules until Friday, March 24, 2023, when someone at Github had accidentally published Github's private SSH key on a public repository. And I thought, “What is going on? Why am I receiving this message, and what does it mean? Because I have admin access to all my repos. I should be able to do whatever I want!”. And “Why am I not getting this message when I was pushing to another repository around the same time?” I had not set up branch protection on that branch because it was a private repository.

Now I am adding at the very least this one branch protection rule, whether the repository is private or not!

I got back the following in Terminal after running the git push origin main command to push my local repo commits to remote origin for a repository in which I turned on “locked branch: read only” for my main (production) branch:

git push origin main
Enumerating objects: 21, done.
Counting objects: 100% (21/21), done.
Delta compression using up to 10 threads
Compressing objects: 100% (14/14), done.
Writing objects: 100% (14/14), 2.71 KiB | 925.00 KiB/s, done.
Total 14 (delta 10), reused 0 (delta 0), pack-reused 0
remote: Resolving deltas: 100% (10/10), completed with 7 local objects.
remote: Bypassed rule violations for refs/heads/main:
remote:
remote: - Cannot change this locked branch
remote:
To github.com:interglobalmedia/inter-jobs-api.git
   177ab81..48ba239  main -> main

I got the message “Bypassed rule violations for refs/heads/main” and “remote: - Cannot change this locked branch” because I had selected “Lock branch Branch is read-only. Users cannot push to the branch.” within the repository Settings for Branches under Branch Protection Rules. I suppose Git was updated to include those reminders to us as to which protection(s) we have turned on in our remote repositories, thereby letting us know that it knows, and Github knows and recognizes that those protections are indeed in place and working.

So why weren't protections working for Github on Friday, March 24, 2023? Or whenever their transgression actually took place?

There are many other protections one can turn on. I will be talking about a specific one that could have related to what happened on March 24, 2023 in another post.

Happy Git pushing to Github remote!

Related Resources

Client can bypass branch protection with pushed commits #16146: desktop/desktop (Github desktop)