The current branch protection rules enforce that status checks should pass before a PR can be merged to master. Additionally, the PR should be approved by a minimum of one maintainer.
However, we do not define WHICH status checks should be enforced. This means that a PR which fails every single status check, but has one approval, can still be merged to master. To resolve this, we should enforce that all CI jobs pass before a PR can be merged, which is a simple change in Github's branch protection settings.
% gh api repos/uber/kraken/branches/master --jq ".protection"
{
"enabled": true,
"required_status_checks": {
"checks": [],
"contexts": [],
"enforcement_level": "everyone"
}
}
The current branch protection rules enforce that status checks should pass before a PR can be merged to master. Additionally, the PR should be approved by a minimum of one maintainer.
However, we do not define WHICH status checks should be enforced. This means that a PR which fails every single status check, but has one approval, can still be merged to master. To resolve this, we should enforce that all CI jobs pass before a PR can be merged, which is a simple change in Github's branch protection settings.