Set up Git Flow workflow with branch protection and security settings
Sets up Git Flow workflow with branch protection and security settings.
/plugin marketplace add signalcompose/YPM/plugin install ypm@signalcompose-ypmSet up Git Flow workflow for the current project with branch protection and security settings.
Ask user about project type to determine security settings:
Question: What type of project is this?
Personal Project (no forks)
Small OSS (trusted contributors)
Large OSS / Security Critical
| Setting | Personal | Small OSS | Large OSS |
|---|---|---|---|
| Visibility | Private | Public | Public |
| Secret Scanning | Not needed | Recommended | Required |
| CODEOWNERS | Not needed | Recommended | Required |
| develop protection | Optional | Recommended | Required |
| enforce_admins | false | false | true/false |
| Fork PR restriction | Not needed | Optional | Recommended |
| Auto-merge disabled | Not needed | Not needed | Optional |
Question: What is the development style?
# Check remote repository
git remote -v
# Get GitHub repository info
gh repo view --json nameWithOwner,isPrivate,defaultBranchRef 2>/dev/null
If repository exists: Proceed to branch setup If not registered: Guide user to create repository first
# Initialize Git repository (if not initialized)
if [ ! -d .git ]; then
git init
git add .
git commit -m "Initial commit"
fi
# Create GitHub repository
gh repo create <REPO_NAME> --private --source=. --remote=origin --push
# Ensure main branch exists
git checkout -b main 2>/dev/null || git checkout main
# Initial commit (if none exists)
if [ -z "$(git log -1 2>/dev/null)" ]; then
echo "# $(basename $(pwd))" > README.md
git add README.md
git commit -m "Initial commit"
git push -u origin main
fi
# Create develop branch
git checkout -b develop
git push -u origin develop
# Verify main is the default branch (usually already set)
gh repo view --json defaultBranchRef --jq '.defaultBranchRef.name'
# If not main, change it:
# gh repo edit --default-branch main
cat > /tmp/branch_protection.json <<EOF
{
"required_status_checks": null,
"enforce_admins": <ENFORCE_ADMINS>,
"required_pull_request_reviews": {
"required_approving_review_count": <REVIEWER_COUNT>,
"dismiss_stale_reviews": true,
"require_code_owner_reviews": false
},
"restrictions": null,
"required_linear_history": false,
"allow_force_pushes": false,
"allow_deletions": false,
"block_creations": false,
"required_conversation_resolution": false
}
EOF
Parameters:
<ENFORCE_ADMINS>: Solo=false, Team=true<REVIEWER_COUNT>: Solo=1 (bypass allowed), Team=1 (required)gh api repos/:owner/:repo/branches/main/protection \
-X PUT \
-H "Accept: application/vnd.github+json" \
--input /tmp/branch_protection.json
gh api repos/:owner/:repo/branches/develop/protection \
-X PUT \
-H "Accept: application/vnd.github+json" \
--input /tmp/branch_protection.json
Important: Disable squash and rebase merge at repository level
gh api repos/:owner/:repo \
-X PATCH \
-H "Accept: application/vnd.github+json" \
-f allow_squash_merge=false \
-f allow_rebase_merge=false \
-f allow_merge_commit=true
Why: Git Flow requires merge commits. Squash/rebase destroys Git Flow history.
mkdir -p .github
cat > .github/CODEOWNERS <<'EOF'
# CODEOWNERS
# Important file changes require approval
# Global
* @<OWNER>
# GitHub config
/.github/ @<OWNER>
# CI/CD
/.github/workflows/ @<OWNER>
# Dependencies
/package.json @<OWNER>
/requirements.txt @<OWNER>
# Security
/.gitignore @<OWNER>
EOF
git add .github/CODEOWNERS
git commit -m "chore: Add CODEOWNERS for security"
git push
Note: Replace <OWNER> with repository owner's GitHub username.
gh api repos/:owner/:repo \
-X PATCH \
-H "Accept: application/vnd.github+json" \
-f security_and_analysis='{"secret_scanning":{"status":"enabled"},"secret_scanning_push_protection":{"status":"enabled"}}'
gh api repos/:owner/:repo \
-X PATCH \
-H "Accept: application/vnd.github+json" \
-f allow_forking=true \
-f allow_auto_merge=false
# Check branches
git branch -a
# Check default branch
gh repo view --json defaultBranchRef --jq '.defaultBranchRef.name'
# Check branch protection
gh api repos/:owner/:repo/branches/main/protection
# Check merge settings
gh api repos/:owner/:repo --jq '{allow_squash_merge, allow_merge_commit, allow_rebase_merge}'
Git Flow Setup Complete!
【Branch Structure】
- main: Production (default, protected)
- develop: Development (protected)
【Branch Protection】
- Direct push to main/develop: Disabled
- Pull Request merge only: Enabled
- Merge commit required (squash disabled)
- Reviewers: <N>
- Admin bypass: <based on enforce_admins>
- required_linear_history: false (Git Flow compatible)
【Merge Settings】
- allow_squash_merge: false
- allow_rebase_merge: false
- allow_merge_commit: true
【Security Settings】
<List applied settings based on project type>
【Git Workflow Absolute Prohibitions】
- main -> develop reverse flow (MOST IMPORTANT)
- Direct commits to main/develop branches
- Squash merge (destroys Git Flow history)
【Next Steps】
1. New feature: `git checkout -b feature/<name>` from develop
2. Commit & push changes
3. Create Pull Request (develop <- feature)
4. After review, merge to develop (use merge commit)
5. Release: Create Pull Request (main <- develop)
6. After release, tag: `git tag v1.0.0`
【Important】
- Direct PR from develop to main is allowed ONLY for releases
- Reverse direction (main -> develop) is ABSOLUTELY PROHIBITED
- Always use "Create a merge commit" when merging
# Install GitHub CLI
brew install gh
# Authenticate
gh auth login