Enforce file level write access for monorepos
Write-guard is designed to enforce file level write access for monorepos that have protected default branches (usually main
or master
) with
- Restrict push enabled
- Require status checks to pass before merging enabled.
you will need to define a write-guard.yaml
in the root of your repository, eg.:
roles:
- edit-all:
- team/admins
- permission/admin
- user/geritol
access:
**:
- role/edit-all
security/**:
- team/security
You need to run write-guard
on your pull requests eg.:
# .github/workflows/write-guard.yaml
name: Pull Request
on:
pull_request:
branches: [master]
jobs:
write-guard:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
ref: master # Important!
# write-guard needs to run on your master branch to prevent
# the possibility of pr openers self grant edit permissions
#
# the action will retrieve files changed in the current pr
# and validate write access based on the master branches
# write-guard.yaml
- name: write-guard
uses: geritol/[email protected]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}