This to prevent accidental pushes to my production application.
Note as suggested as comments in original report this can be also achieved with a good CI/CD policy, but some protection on workflow level is also a nice addition
Long story.
Lets say I have an app, and I have different environments (test, preprod, production, various short-lived test branches, ...) for this app. Each of these environments is linked to a branch.
test -> master
preprod -> stable
production -> (also) stable
feature-x -> feature-x
you get the idea...
To deploy a new version I just do git push deis-production stable and all is well.
Another developer/ops guy takes an old version of stable, does an emergency commit + deploy and does a git push deis-production stable --force as well.. (In theory he should have checked why he needed to force, but sometines in the heat of time you don't think too well)
Alternatively (and this does not require a --force so is more easy to do accidently) one of the deployment guys does git push deis-production master (either he intended to deploy to test, or intended to deploy another branch).
If there were an option to say deis apps:protect branch-name, to only allow pushes to that application with that branch-name, and enforce non --force pushes, this would prevent these errors
From @nathansamson on January 13, 2017 10:0
TLDR; I want to protect certain apps to only be pushable by a certain branch, and preferably not allow forced pushes (similar to gitlabs protected branches - https://about.gitlab.com/2014/11/26/keeping-your-code-protected/).
This to prevent accidental pushes to my production application.
Note as suggested as comments in original report this can be also achieved with a good CI/CD policy, but some protection on workflow level is also a nice addition
Long story.
Lets say I have an app, and I have different environments (test, preprod, production, various short-lived test branches, ...) for this app. Each of these environments is linked to a branch.
To deploy a new version I just do git push deis-production stable and all is well. Another developer/ops guy takes an old version of stable, does an emergency commit + deploy and does a git push deis-production stable --force as well.. (In theory he should have checked why he needed to force, but sometines in the heat of time you don't think too well)
Alternatively (and this does not require a --force so is more easy to do accidently) one of the deployment guys does git push deis-production master (either he intended to deploy to test, or intended to deploy another branch).
If there were an option to say deis apps:protect branch-name, to only allow pushes to that application with that branch-name, and enforce non --force pushes, this would prevent these errors
Blatant copy paste from deis/deis#4460
Copied from original issue: deis/builder#463