|
1 | | -<!--Manage sensitive data and security policies in GitHub--> |
| 1 | +In this unit, you’ll learn how to create and manage rulesets, and understand the advantages they offer over traditional protection rules. |
2 | 2 |
|
3 | | -In this unit, you'll learn how to create and manage rulesets, and understand the advantages they offer over traditional protection rules. |
| 3 | +As a GitHub administrator, you need granular control over who can push, delete, or rename branches and tags. **Repository rulesets** let you bundle multiple rules under a single name, apply them to selected branches or tags, and toggle them on or off without deleting them. They complement existing branch- and tag-protection rules, giving you a unified, layered approach to repository security. |
4 | 4 |
|
5 | | -As an administrator responsible for managing security policies and settings in GitHub, you might face the challenge of controlling how collaborators interact with specific branches and tags in your repositories. This is where repository rulesets come into play. |
| 5 | +## What are repository Rulesets? |
6 | 6 |
|
7 | | -Repository rulesets provide a powerful way to control how users can interact with certain branches and tags in a repository. By creating rulesets, you can define a named list of rules that govern various actions, such as pushing commits, deleting or renaming tags, and more. Rulesets work alongside branch-protection and tag-protection rules, allowing you to have fine-grained control over your repository's behavior. |
| 7 | +A **ruleset** is a named collection of rules that apply to one or more branches or tags in your repository. |
8 | 8 |
|
9 | | -By the end of this unit, you'll have a solid understanding of how to effectively use repository rulesets to control and protect key branches and tags in your repositories. |
| 9 | +- **Target selection:** Choose specific branches (e.g., `feature/*`) or tags (e.g., `v*.*`). |
| 10 | +- **Rule definitions:** Require status checks, enforce signed commits, block force pushes, and more. |
| 11 | +- **Bypass permissions:** Grant repository admins, teams, or GitHub Apps the ability to bypass certain rules. |
10 | 12 |
|
11 | | -## What are repository rulesets? |
| 13 | +For example, a ruleset for your `feature/*` branches can require signed commits and block force pushes for everyone except admins. You can also import existing tag-protection rules into a ruleset to reuse your current settings. |
12 | 14 |
|
13 | | -A ruleset is a named list of rules that applies to a repository. You can create rulesets to control how collaborators can interact with specific branches and tags in a repository. You can control things like who can push commits to a certain branch or who can delete or rename a tag. For example, you could set up a ruleset for your repository's `feature` branch that requires signed commits and blocks force pushes for all users except repository administrators. There's a limit of 75 rulesets per repository. |
| 15 | +## Comparing Rulesets, branch protection, and protected tags |
14 | 16 |
|
15 | | -## Comparing rulesets, branch protection, and protected tags |
| 17 | +| Capability | Protection Rules | Rulesets | |
| 18 | +|----------------------------------------------|------------------|----------------------| |
| 19 | +| Single rule per branch or tag | ✅ | ❌ (multiple rules) | |
| 20 | +| Multiple rule groups can coexist | ❌ | ✅ | |
| 21 | +| Enable or disable without deleting | ❌ | ✅ (status toggles) | |
| 22 | +| Visible to anyone with read access | ❌ (admin only) | ✅ | |
16 | 23 |
|
17 | | -Rulesets work alongside any branch protection rules and tag protection rules in a repository. Many of the rules you can define in rulesets are similar to protection rules, and you can start using rulesets without overriding any of your existing protection rules. Additionally, you can import existing tag protection rules into repository rulesets. This will implement the same tag protections you currently have in place for your repository. |
| 24 | +**Key advantages of rulesets** |
| 25 | +- **Layering:** Aggregate rules from multiple sources; the strictest setting applies. |
| 26 | +- **Statuses:** Enable, disable, or evaluate (test) rulesets without deletion. |
| 27 | +- **Transparency:** Developers and auditors can view active rulesets with read access, without admin rights. |
18 | 28 |
|
19 | | -Rulesets have the following advantages over branch and tag protection rules: |
| 29 | +## Creating your first Ruleset |
20 | 30 |
|
21 | | -- Unlike protection rules, multiple rulesets can apply at the same time, so you can be confident that every rule targeting a branch or tag in your repository will be evaluated when someone interacts with that branch or tag. |
22 | | -- Rulesets have statuses, so you can easily manage which rulesets are active in a repository without needing to delete rulesets. |
23 | | -- Anyone with read access to a repository can view the active rulesets for the repository. This means a developer can understand why they have hit a rule, or an auditor can check the security constraints for the repository, without requiring admin access to the repository. |
| 31 | +1. On GitHub.com, navigate to **Settings > Code and automation > Rules > Rulesets**. |
| 32 | +2. Click **New ruleset**, then select **Branch** or **Tag**. |
| 33 | +3. Enter a name and choose your target branches or tags. |
| 34 | +4. Toggle rules such as **Require status checks** or **Block force pushes**. |
| 35 | +5. Assign bypass permissions (e.g., Admins, CI App). |
| 36 | +6. Click **Create**. |
24 | 37 |
|
25 | | -## Create a ruleset |
| 38 | +:::image type="content" source="../media/new-branch-ruleset.png" alt-text="Screenshot of the new branch ruleset page from the left-hand navigation bar."::: |
26 | 39 |
|
27 | | -You can add rulesets to a repository to control how users can interact with selected branches and tags. When you create a ruleset, you can allow certain users to bypass the rules in the ruleset. This can be users with a certain role, such as repository administrator, or it can be specific teams or GitHub Apps. |
| 40 | +> [!TIP] |
| 41 | +> For release branches (`release/*`), require two successful status checks and block force pushes to enforce stability. |
28 | 42 |
|
29 | | -To create a ruleset: |
| 43 | +## Managing and editing Rulesets |
30 | 44 |
|
31 | | -1. In your repository, go to **Settings > Code and automation > Rules > Rulesets**. |
32 | | -1. Select **New ruleset** to show options. |
33 | | -1. Select **New branch ruleset** or **New tag ruleset** option. |
34 | | -1. Enter values to configure the ruleset. |
35 | | -1. Select **Create**. |
| 45 | +- **View active rulesets:** On the *Rulesets* page, see which sets target a given branch or tag. |
| 46 | +- **Edit a ruleset:** Click its name, adjust rules or targets, then **Save changes**. |
| 47 | +- **Toggle status:** Enable or disable a ruleset without deleting it. |
| 48 | +- **Delete:** Remove obsolete rulesets when they’re no longer needed. |
36 | 49 |
|
37 | | -:::image type="content" source="../media/new-branch-ruleset.png" alt-text="Create a new branch ruleset page from the left hand navigation bar."::: |
| 50 | +## Available rules |
38 | 51 |
|
39 | | -When creating a ruleset, you can grant bypass permissions, choose which branches or tags to target, and select the rules to include. |
| 52 | +Repository rulesets support many of the same protections as branch and tag protection: |
40 | 53 |
|
41 | | -## Manage a ruleset |
| 54 | +:::image type="content" source="../media/tag-ruleset-rules.png" alt-text="Screenshot of the rules toggle list, including tag protection and restriction options."::: |
42 | 55 |
|
43 | | -You can edit, monitor, and delete existing rulesets in a repository to alter how people can interact with specific branches and tags. For example, you can add rules to better protect your branches or tags, or you can temporarily disable a ruleset to troubleshoot any unintended effects on the contributor experience for your repository. |
| 56 | +Common examples: |
| 57 | +- **Require status checks to pass** (e.g., CodeQL, Dependency Review). |
| 58 | +- **Require signed commits**. |
| 59 | +- **Block force pushes or deletions**. |
| 60 | +- **Restrict who can push or merge**. |
44 | 61 |
|
45 | | -Anyone with read access to a repository can view the rulesets targeting the repository. This can be useful if you want to know why you can't commit to a branch. On the *Rulesets* page, you can view the active rulesets targeting a certain branch or tag. |
| 62 | +> [!TIP] |
| 63 | +> Enforce your CI/CD pipeline by requiring key workflows as status checks before merges. |
46 | 64 |
|
47 | | -To edit a ruleset: |
| 65 | +## Layering Rulesets and protections |
48 | 66 |
|
49 | | -1. In your repository, go to **Settings > Code and automation > Rules > Rulesets**. |
50 | | -1. Select the name of the ruleset you want to edit. |
51 | | -1. Change the ruleset as needed. |
52 | | -1. Select **Save changes**. |
| 67 | +GitHub aggregates all applicable rules—branch protection, tag protection, and multiple rulesets—and applies the most restrictive setting. |
53 | 68 |
|
54 | | -## Available rules |
| 69 | +**Example:** The `my-feature` branch has: |
| 70 | +- A ruleset requiring signed commits and three reviews. |
| 71 | +- A branch protection rule requiring a linear history and two reviews. |
| 72 | + |
| 73 | +**Outcome:** Pull requests need three reviews, and commits must be both signed and linear. |
| 74 | + |
| 75 | +## Impacts of policy and Ruleset choices in GitHub Enterprise |
| 76 | + |
| 77 | +Your policies and rulesets affect security, compliance, developer experience, and operational efficiency. Finding the right balance between control and flexibility is essential. |
| 78 | + |
| 79 | +### Security and compliance enforcement |
| 80 | + |
| 81 | +| **Pros** | **Cons** | |
| 82 | +|------------------------------|------------------------| |
| 83 | +| SAML SSO & 2FA enforced by rulesets prevent unauthorized access. | Blocking forks or enforcing lengthy approval chains can frustrate developers. | |
| 84 | +| Branch protections ensure every code change is reviewed. | Manual security checks increase administrative overhead. | |
| 85 | +| Audit-logging rulesets support SOC 2 and ISO 27001 compliance. | | |
| 86 | + |
| 87 | +### Developer productivity and workflow efficiency |
55 | 88 |
|
56 | | -There are many rules you can apply to a ruleset to protect targeted branches and tags in a repository. Here is the Rules section for a tag ruleset for reference. |
| 89 | +| **Pros** | **Cons** | |
| 90 | +|--------------------------|-------------------------| |
| 91 | +| Automated checks (Dependabot, Code Scanning) reduce manual work. | Strict approval policies slow fast-moving teams. | |
| 92 | +| Security rulesets automate compliance without manual steps. | Blocking force pushes can complicate emergency hotfixes. | |
| 93 | +| Flexible protections (e.g., reviews only on critical branches) maintain agility. | | |
57 | 94 |
|
58 | | -:::image type="content" source="../media/tag-ruleset-rules.png" alt-text="Screenshot of the toggle option list of the rules, including Tag protection and Restriction options."::: |
| 95 | +### Governance and access control |
59 | 96 |
|
60 | | -As an example, you might want to enforce CodeQL analysis and Dependency Review workflows on specific branches or tags. To enforce these with repository rulesets, you'd create a ruleset with **Require status checks to pass** and add these workflows to the rule. Then, these workflows must pass before allowing certain actions on a branch or tag. This could include actions like merging a pull request or pushing directly to a branch. This way, you can ensure that your code is always analyzed for vulnerabilities and that your dependencies are always reviewed for security risks before they're introduced into your codebase. The exact steps to configure this might vary based on your specific needs and the current configuration of your repository. |
| 97 | +| **Pros** | **Cons** | |
| 98 | +|-----------------------|---------------------------| |
| 99 | +| Visibility rules prevent accidental exposure of private code. | Over-restricting access can create collaboration bottlenecks. | |
| 100 | +| Fine-grained permissions ensure proper access levels. | Blocking forks in open-source projects hinders contributions. | |
| 101 | +| Fork restrictions reduce intellectual property risks. | | |
61 | 102 |
|
62 | | -## Layering rules |
| 103 | +### CI/CD and automation impact |
63 | 104 |
|
64 | | -A ruleset doesn't have a priority. Instead, if multiple rulesets target the same branch or tag in a repository, the rules in each of these rulesets are aggregated. If the same rule is defined in different ways across the aggregated rulesets, the most restrictive version of the rule applies. As well as layering with each other, rulesets also layer with protection rules targeting the same branch or tag. |
| 105 | +| **Pros** | **Cons** | |
| 106 | +|-----------------------|---------------------------| |
| 107 | +| Requiring status checks ensures code is validated before deployment. | Strict CI approvals can slow down deployments. | |
| 108 | +| Integrating GitHub Actions with rulesets enforces compliance automatically. | Blocking third-party Actions limits automation options. | |
| 109 | +| Built-in Code Scanning and Dependency Management embed security into pipelines. | | |
65 | 110 |
|
66 | | -For example, consider the following situation for the `my-feature` branch of the `octo-org/octo-repo` repository: |
| 111 | +## GitHub audit log APIs for investigating missing assets |
67 | 112 |
|
68 | | -- A repository administrator has set up a ruleset targeting the `my-feature` branch. This ruleset requires signed commits, and three reviews on pull requests before they can be merged. |
69 | | -- An existing branch protection rule for the `my-feature` branch requires a linear commit history and two reviews on pull requests before they can be merged. |
| 113 | +Audit logs provide visibility into events such as repository deletions or member removals. Use REST or GraphQL to query and remediate. |
70 | 114 |
|
71 | | -The rules from each source are aggregated, and all rules apply. Where multiple different versions of the same rule exist, the result is that the most restrictive version of the rule applies. Therefore, the `my-feature` branch requires signed commits and a linear commit history, and pull requests targeting the branch will require three reviews before they can be merged. |
| 115 | +### Steps to troubleshoot missing assets |
72 | 116 |
|
73 | | -## Using rulesets on an Enterprise plan |
| 117 | +1. **Identify the asset:** (e.g., `repository.deleted`). |
| 118 | +2. **Query the Audit Log API (REST):** |
| 119 | + ```http |
| 120 | + GET /orgs/{org}/audit-log?phrase=repository.deleted |
| 121 | + Authorization: Bearer YOUR_TOKEN |
| 122 | + ``` |
| 123 | +3. **Query via GraphQL:** |
| 124 | + ```graphql |
| 125 | + query { |
| 126 | + auditLogEntries(first: 10, query: "repository.deleted") { |
| 127 | + nodes { |
| 128 | + action |
| 129 | + actor { login } |
| 130 | + createdAt |
| 131 | + } |
| 132 | + } |
| 133 | + } |
| 134 | + ``` |
| 135 | +4. **Filter & inspect:** Focus on relevant events (`repository.deleted`, `org.member_removed`). |
| 136 | +5. **Remediate:** Restore assets or tighten security settings. |
74 | 137 |
|
75 | | -For organizations on a GitHub Enterprise plan, you can also do the following with rulesets: |
76 | 138 |
|
77 | | -- Quickly set up rulesets at the organization level to target multiple repositories in your organization. |
78 | | -- Create additional rules to control the metadata of commits entering a repository, such as the commit message and the author's email address. |
79 | | -- Use an *Evaluate* status to test a ruleset before making it active, and use an insights page to view which user actions are being affected by rules. |
|
0 commit comments