Skip to content
Latchkey

How to Use Branch Protection as a Compliance Control

Branch protection that blocks force pushes and deletions makes the main branch history append only, which is exactly what change-control audits look for.

Branch protection is more than hygiene; it is a control you can point an auditor to. Block force pushes and branch deletion, require linear history, and require the change process to run. This page is educational configuration guidance.

Steps

  • Disallow force pushes and deletions on the default branch.
  • Require a pull request, approvals, and passing status checks before merge.
  • Require linear history so the audit trail stays readable.
  • Include administrators so the control applies to everyone.

Branch protection via API

Terminal
gh api -X PUT repos/acme/app/branches/main/protection --input - <<'JSON'
{
  "required_status_checks": { "strict": true, "contexts": ["build", "test"] },
  "enforce_admins": true,
  "required_pull_request_reviews": { "required_approving_review_count": 2 },
  "restrictions": null,
  "allow_force_pushes": false,
  "allow_deletions": false,
  "required_linear_history": true
}
JSON

Notes

  • "enforce_admins": true prevents the classic gap where admins bypass the control.
  • Blocking force pushes is what keeps the history tamper evident.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →