Rulesets

GitHub Rulesets allow you to enforce specific rules on branches and tags at the repository level. At emLab, we use rulesets primarily to protect the main branch: preventing direct pushes, requiring pull request reviews, and optionally enabling automated code review.

Why protect the main branch?

The main branch is the primary record of the project. It should always be in a working state, and ideally, every change to it should have passed through some form of deliberate review. Without branch protection, it is easy to accidentally push directly to main, bypass review, or merge changes that have not been inspected.

Setting up a ruleset

To add a ruleset to a repository, navigate to Settings > Rules > Rulesets and click New ruleset > New branch ruleset.

Configure the following:

Target branches: Set the target to main (or default branch if you want it to follow the default branch automatically). You can use the pattern ~DEFAULT_BRANCH to target whatever the default branch is named.

Rules to enable:

  • Restrict deletions: Prevents the main branch from being deleted.
  • Require a pull request before merging: Requires that changes come through a PR rather than direct push. Under this setting, you can also specify the minimum number of required approvals (at minimum, 1) and whether to dismiss stale reviews when new commits are pushed.
  • Block force pushes: Prevents rewriting history on main.

At a minimum, enable all three of the above. These settings ensure that nothing enters main without a PR, and that the history cannot be rewritten after the fact.

Bypass list: You can optionally add organization owners or repository admins to a bypass list, allowing them to push directly to main in exceptional circumstances. Use this sparingly.

Automatic Copilot code review

GitHub Copilot includes an automated code review feature that can be enabled on pull requests. When enabled, Copilot will automatically review new PRs and leave comments on potential issues, stylistic concerns, and code quality problems.

To enable it, navigate to Settings > Copilot in the repository and turn on Copilot code review. You can also add a Copilot review as a required check within the ruleset, so that a PR cannot be merged until Copilot has reviewed it.

Copilot’s automated reviews are a useful first pass, but they do not replace human review. They tend to catch surface-level issues, but will miss analytical errors, conceptual mistakes, or context-specific problems that require domain knowledge.

Checking your ruleset configuration

After creating a ruleset, test it by attempting to push directly to main from a local clone. You should receive an error like:

remote: error: GH013: Repository rule violations found for refs/heads/main.

If you see that, the ruleset is working. If the push succeeds, double-check that the branch name in the ruleset target matches the actual branch name in the repository.