A way to restrict Git branch access?

Question

I have four branches in my git repository, which is managed using GitHub:

• Production
• Staging
• Master
• [person\'s name]-development

Answer 1

Esko suggested great solution suitable for open-source projects. However it requires that every member of a collaborators team has a paid account on GitHub, which is not always true.

VonC pointed out that there's another solution which involves only one paid GitHub account. And I'm going to provide some tutorial how to implement VonC's solution.

Let's suppose that we have two private repositories: test-test and test-production. The first repo is for development and every member of a team has access to it. The second repo is for automatic deployment of code and therefore strong access restrictions are applied to it.

Setup for developers is pretty simple and staightforward: git clone https://github.com//test-test, do their work and push it back.

Setup for collaborators is a bit more complicated:

1. Pull branches from the development repo git clone https://github.com//test-test

2. Add remote repository git remote add production-repo https://github.com//test-production.git

3. Fetch data from new repo git fetch production-repo

4. Create new local branch for production code and switch to it git checkout -b local-production

5. Tell git to link local and remote branches git branch -u production-repo/production

6. Download contents of the remote production branch to the local one git pull

7. Sort out possible conflicts and that's it!

Now everything that is pushed from the local-production branch will get into the test-production repo and the other branches will be pushed to the test-test repo.

Ok, that's cool, but what about more granular ([person's name]-development) access? - You may ask. The answer is: you can create repos similar to test-test for every developer and use the same pattern for setting them up. The downside of this approach is that collaborators will have to clone each of test-test-[person's name]-development repos.

VonC also suggested to fork the production repo and to make pull requests to it - why not to do like that? Firstly, because you can't fork a private repo without having paid GitHub account. Secondly, to allow someone to fork a private repo, you give him full access to it, so he can push to it directly. And a developer can make a mistake, push to the production repo launching GitHub service hooks and screwing things up. And if you use several outsource developers, this will likely happen.

Also I'd like to warn you about a bugfeature in the official GitHub app for Windows. The branches with an upstream different from the origin will get into origin. So use the command line for pushing.

All these things sound little bit overcomplicated. But it is always like that if you don't want to pay for simplicity.