BranchProtection

Protects a GitHub branch.

This resource allows you to configure branch protection for repositories in your organization. When applied, the branch will be protected from forced pushes and deletion. Additional constraints, such as required status checks or restrictions on users, teams, and apps, can also be configured.

Example Usage

using Pulumi;
using Github = Pulumi.Github;

class MyStack : Stack
{
    public MyStack()
    {
        var exampleTeam = new Github.Team("exampleTeam", new Github.TeamArgs
        {
        });
        // Protect the master branch of the foo repository. Additionally, require that
        // the "ci/travis" context to be passing and only allow the engineers team merge
        // to the branch.
        var exampleBranchProtection = new Github.BranchProtection("exampleBranchProtection", new Github.BranchProtectionArgs
        {
            Branch = "master",
            EnforceAdmins = true,
            Repository = github_repository.Example.Name,
            RequiredPullRequestReviews = new Github.Inputs.BranchProtectionRequiredPullRequestReviewsArgs
            {
                DismissStaleReviews = true,
                DismissalTeams = 
                {
                    exampleTeam.Slug,
                    github_team.Second.Slug,
                },
                DismissalUsers = 
                {
                    "foo-user",
                },
            },
            RequiredStatusChecks = new Github.Inputs.BranchProtectionRequiredStatusChecksArgs
            {
                Contexts = 
                {
                    "ci/travis",
                },
                Strict = false,
            },
            Restrictions = new Github.Inputs.BranchProtectionRestrictionsArgs
            {
                Apps = 
                {
                    "foo-app",
                },
                Teams = 
                {
                    exampleTeam.Slug,
                },
                Users = 
                {
                    "foo-user",
                },
            },
        });
        var exampleTeamRepository = new Github.TeamRepository("exampleTeamRepository", new Github.TeamRepositoryArgs
        {
            Permission = "pull",
            Repository = github_repository.Example.Name,
            TeamId = exampleTeam.Id,
        });
    }

}

Coming soon!

import pulumi
import pulumi_github as github

example_team = github.Team("exampleTeam")
# Protect the master branch of the foo repository. Additionally, require that
# the "ci/travis" context to be passing and only allow the engineers team merge
# to the branch.
example_branch_protection = github.BranchProtection("exampleBranchProtection",
    branch="master",
    enforce_admins=True,
    repository=github_repository["example"]["name"],
    required_pull_request_reviews={
        "dismissStaleReviews": True,
        "dismissalTeams": [
            example_team.slug,
            github_team["second"]["slug"],
        ],
        "dismissalUsers": ["foo-user"],
    },
    required_status_checks={
        "contexts": ["ci/travis"],
        "strict": False,
    },
    restrictions={
        "apps": ["foo-app"],
        "teams": [example_team.slug],
        "users": ["foo-user"],
    })
example_team_repository = github.TeamRepository("exampleTeamRepository",
    permission="pull",
    repository=github_repository["example"]["name"],
    team_id=example_team.id)

import * as pulumi from "@pulumi/pulumi";
import * as github from "@pulumi/github";

const exampleTeam = new github.Team("example", {});
// Protect the master branch of the foo repository. Additionally, require that
// the "ci/travis" context to be passing and only allow the engineers team merge
// to the branch.
const exampleBranchProtection = new github.BranchProtection("example", {
    branch: "master",
    enforceAdmins: true,
    repository: github_repository_example.name,
    requiredPullRequestReviews: {
        dismissStaleReviews: true,
        dismissalTeams: [
            exampleTeam.slug,
            github_team_second.slug,
        ],
        dismissalUsers: ["foo-user"],
    },
    requiredStatusChecks: {
        contexts: ["ci/travis"],
        strict: false,
    },
    restrictions: {
        apps: ["foo-app"],
        teams: [exampleTeam.slug],
        users: ["foo-user"],
    },
});
const exampleTeamRepository = new github.TeamRepository("example", {
    permission: "pull",
    repository: github_repository_example.name,
    teamId: exampleTeam.id,
});

Create a BranchProtection Resource

new BranchProtection(name: string, args: BranchProtectionArgs, opts?: CustomResourceOptions);

def BranchProtection(resource_name, opts=None, branch=None, enforce_admins=None, repository=None, require_signed_commits=None, required_pull_request_reviews=None, required_status_checks=None, restrictions=None, __props__=None);

func NewBranchProtection(ctx *Context, name string, args BranchProtectionArgs, opts ...ResourceOption) (*BranchProtection, error)

public BranchProtection(string name, BranchProtectionArgs args, CustomResourceOptions? opts = null)

name string: The unique name of the resource.
args BranchProtectionArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
opts ResourceOptions: A bag of options that control this resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args BranchProtectionArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args BranchProtectionArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

BranchProtection Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.

Inputs

The BranchProtection resource accepts the following input properties:

Branch string: The Git branch to protect.
Repository string: The GitHub repository name.
EnforceAdmins bool: Boolean, setting this to true enforces status checks for repository administrators.
RequireSignedCommits bool: Boolean, setting this to true requires all commits to be signed with GPG.
RequiredPullRequestReviews BranchProtectionRequiredPullRequestReviewsArgs: Enforce restrictions for pull request reviews. See Required Pull Request Reviews below for details.
RequiredStatusChecks BranchProtectionRequiredStatusChecksArgs: Enforce restrictions for required status checks. See Required Status Checks below for details.
Restrictions BranchProtectionRestrictionsArgs: Enforce restrictions for the users and teams that may push to the branch. See Restrictions below for details.

Branch string: The Git branch to protect.
Repository string: The GitHub repository name.
EnforceAdmins bool: Boolean, setting this to true enforces status checks for repository administrators.
RequireSignedCommits bool: Boolean, setting this to true requires all commits to be signed with GPG.
RequiredPullRequestReviews BranchProtectionRequiredPullRequestReviews: Enforce restrictions for pull request reviews. See Required Pull Request Reviews below for details.
RequiredStatusChecks BranchProtectionRequiredStatusChecks: Enforce restrictions for required status checks. See Required Status Checks below for details.
Restrictions BranchProtectionRestrictions: Enforce restrictions for the users and teams that may push to the branch. See Restrictions below for details.

branch string: The Git branch to protect.
repository string: The GitHub repository name.
enforceAdmins boolean: Boolean, setting this to true enforces status checks for repository administrators.
requireSignedCommits boolean: Boolean, setting this to true requires all commits to be signed with GPG.
requiredPullRequestReviews BranchProtectionRequiredPullRequestReviews: Enforce restrictions for pull request reviews. See Required Pull Request Reviews below for details.
requiredStatusChecks BranchProtectionRequiredStatusChecks: Enforce restrictions for required status checks. See Required Status Checks below for details.
restrictions BranchProtectionRestrictions: Enforce restrictions for the users and teams that may push to the branch. See Restrictions below for details.

branch str: The Git branch to protect.
repository str: The GitHub repository name.
enforce_admins bool: Boolean, setting this to true enforces status checks for repository administrators.
require_signed_commits bool: Boolean, setting this to true requires all commits to be signed with GPG.
required_pull_request_reviews Dict[BranchProtectionRequiredPullRequestReviews]: Enforce restrictions for pull request reviews. See Required Pull Request Reviews below for details.
required_status_checks Dict[BranchProtectionRequiredStatusChecks]: Enforce restrictions for required status checks. See Required Status Checks below for details.
restrictions Dict[BranchProtectionRestrictions]: Enforce restrictions for the users and teams that may push to the branch. See Restrictions below for details.

Outputs

All input properties are implicitly available as output properties. Additionally, the BranchProtection resource produces the following output properties:

Etag string
Id string: The provider-assigned unique ID for this managed resource.

Etag string
Id string: The provider-assigned unique ID for this managed resource.

etag string
id string: The provider-assigned unique ID for this managed resource.

etag str
id str: The provider-assigned unique ID for this managed resource.

Look up an Existing BranchProtection Resource

Get an existing BranchProtection resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: BranchProtectionState, opts?: CustomResourceOptions): BranchProtection

static get(resource_name, id, opts=None, branch=None, enforce_admins=None, etag=None, repository=None, require_signed_commits=None, required_pull_request_reviews=None, required_status_checks=None, restrictions=None, __props__=None);

func GetBranchProtection(ctx *Context, name string, id IDInput, state *BranchProtectionState, opts ...ResourceOption) (*BranchProtection, error)

public static BranchProtection Get(string name, Input<string> id, BranchProtectionState? state, CustomResourceOptions? opts = null)

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

Branch string: The Git branch to protect.
EnforceAdmins bool: Boolean, setting this to true enforces status checks for repository administrators.
Etag string
Repository string: The GitHub repository name.
RequireSignedCommits bool: Boolean, setting this to true requires all commits to be signed with GPG.
RequiredPullRequestReviews BranchProtectionRequiredPullRequestReviewsArgs: Enforce restrictions for pull request reviews. See Required Pull Request Reviews below for details.
RequiredStatusChecks BranchProtectionRequiredStatusChecksArgs: Enforce restrictions for required status checks. See Required Status Checks below for details.
Restrictions BranchProtectionRestrictionsArgs: Enforce restrictions for the users and teams that may push to the branch. See Restrictions below for details.

Branch string: The Git branch to protect.
EnforceAdmins bool: Boolean, setting this to true enforces status checks for repository administrators.
Etag string
Repository string: The GitHub repository name.
RequireSignedCommits bool: Boolean, setting this to true requires all commits to be signed with GPG.
RequiredPullRequestReviews BranchProtectionRequiredPullRequestReviews: Enforce restrictions for pull request reviews. See Required Pull Request Reviews below for details.
RequiredStatusChecks BranchProtectionRequiredStatusChecks: Enforce restrictions for required status checks. See Required Status Checks below for details.
Restrictions BranchProtectionRestrictions: Enforce restrictions for the users and teams that may push to the branch. See Restrictions below for details.

branch string: The Git branch to protect.
enforceAdmins boolean: Boolean, setting this to true enforces status checks for repository administrators.
etag string
repository string: The GitHub repository name.
requireSignedCommits boolean: Boolean, setting this to true requires all commits to be signed with GPG.
requiredPullRequestReviews BranchProtectionRequiredPullRequestReviews: Enforce restrictions for pull request reviews. See Required Pull Request Reviews below for details.
requiredStatusChecks BranchProtectionRequiredStatusChecks: Enforce restrictions for required status checks. See Required Status Checks below for details.
restrictions BranchProtectionRestrictions: Enforce restrictions for the users and teams that may push to the branch. See Restrictions below for details.

branch str: The Git branch to protect.
enforce_admins bool: Boolean, setting this to true enforces status checks for repository administrators.
etag str
repository str: The GitHub repository name.
require_signed_commits bool: Boolean, setting this to true requires all commits to be signed with GPG.
required_pull_request_reviews Dict[BranchProtectionRequiredPullRequestReviews]: Enforce restrictions for pull request reviews. See Required Pull Request Reviews below for details.
required_status_checks Dict[BranchProtectionRequiredStatusChecks]: Enforce restrictions for required status checks. See Required Status Checks below for details.
restrictions Dict[BranchProtectionRestrictions]: Enforce restrictions for the users and teams that may push to the branch. See Restrictions below for details.