Back to Blog

The Day I Discovered GitHub Rulesets and Finally Won the War Against Configuration Drift

Branch protection rules are the technical debt you didn't see coming. You think you're being responsible by locking down your main branch, but the moment you hit repository number twenty, you’ve actually just built a distributed maintenance nightmare that’s guaranteed to fall out of sync.

I realized this when a junior dev accidentally pushed a broken build directly to the "protected" production branch of a legacy service. I was confused—I *knew* I’d set up branch protections there. Turns out, I’d set them up on thirty other repos, but forgot that specific one because it was created during a frantic sprint six months prior. That’s configuration drift in its purest, most annoying form.

If your security posture depends on a human remembering to check a box in 50 different places, you don't have a security posture—you have a hobby.

The "Manual" Era Was a Death Trap

Before Rulesets, GitHub’s branch protection was repo-specific. If you wanted to change the number of required reviewers from one to two across the whole company, you had two choices:
1. Spend an entire Tuesday clicking through UI menus until your eyes bled.
2. Write a brittle script to hit the GitHub API for every single repository.

Neither is sustainable. Rulesets change the game by moving the logic from the Repository level to the Organization level. Instead of saying "This repo has these rules," you say "Any repo in this organization that matches this pattern must follow these rules."

Setting Up Your First "Global" Rule

The magic happens in your Organization Settings under Repository > Rulesets.

The killer feature here is the Targeting. You don't have to select repos one by one. You can use fnmatch patterns. I usually start with a "Tier 1" ruleset that targets the main or prod branches of every repository in the org.

Here is what a standard "Safe Defaults" ruleset looks like in my world:

- Target branches: include: [main, master, production]
- Restricted updates: No force pushes (obviously).
- Require a pull request before merging:
- Required approvals: 1
- Dismiss stale pull request approvals when new commits are pushed (don't skip this, it's how bugs sneak in).
- Require status checks to pass: Ensure your CI (like GitHub Actions) actually finishes before someone hits merge.

The "Bypass List" is the Hero We Deserved

In the old branch protection world, if an admin needed to push an emergency fix that bypassed CI, you had to disable the protection, push, and then *remember* to turn it back on.

Rulesets have a Bypass List. You can specify that a certain team (like Platform-Admins or a specific Deploy-Bot) can bypass the rules without turning them off for everyone else. It’s audited, it’s transparent, and it’s permanent.

The Power of Metadata Restrictions

This is where things get nerdy and incredibly useful. Rulesets allow you to enforce Metadata Restrictions.

Have you ever wanted to ensure that every commit message starts with a JIRA ticket number? Or that no one accidentally pushes a branch named test-123-FIX-THIS-PLEASE to the server?

You can add a "Restrict commit message pattern" rule:

# Example Regex for JIRA-style tickets
^([A-Z]+-[0-9]+|Merge branch).*

If a developer tries to push a commit that says "fixed stuff," the server rejects the push before it even touches the remote. This forces better habits without a single "Please fix your commit messages" comment on a PR.

The "Evaluate" Mode: Testing Without Breaking

The scariest part of changing global infrastructure is the "Scream Test"—changing something and waiting to see who screams first. GitHub Rulesets have an Evaluate mode.

When you set a ruleset to "Evaluate," GitHub tracks what *would* have been blocked but allows the action to go through anyway. You can check the Insights tab to see:
* "Oh, the Data Science team uses a weird branching strategy that my new rule would have broken."
* "The automation bot doesn't have the right permissions."

You can tune your rules based on real data before you flip the switch to Active.

The Gotcha: Ruleset Layering

One thing that tripped me up early on is how rulesets stack. Rulesets are additive. If you have an Org-level ruleset requiring 1 reviewer and a Repo-level ruleset requiring 2 reviewers, GitHub will require 2.

However, if they conflict—say one rule requires signed commits and another doesn't—the most restrictive one wins. You can't "un-require" something in a sub-ruleset that was required at the Org level.

Why You Should Switch Today

Switching to Rulesets stopped my "configuration drift" anxiety. Now, when we create a new microservice, I don't have to double-check the settings. Because the repo lives in our Org, and the primary branch is named main, the ruleset catches it automatically.

It’s the difference between being a mechanic who fixes every car by hand and being the engineer who designed the assembly line. Stop clicking buttons in the UI and start governing your code.