I’m managing a private repository and need to set up a workflow where all code changes go through me before they reach the main branches.
What I want to achieve:
I should be the only person who can merge code into master and production branches
All other team members need my approval before their code gets merged
Everything must stay within our private repository
I’ve been looking into different GitHub workflows but I’m confused about which approach works best for private repos. I know about forking but that seems more suited for open source projects. I also came across something called the Shared Repository Model but couldn’t find much documentation about it.
What’s the best way to set this up? Are there specific GitHub features or branch protection rules I should be using?
The shared repository model is perfect for this and works great with private repos. I’ve managed similar setups for years. Everyone works on the same repo, but you control access through branch protection and required reviews. Hit your repo settings, then Branches. Set up protection rules for master and production branches. Turn on “Restrict pushes that create files” and “Require pull request reviews before merging”. Definitely check “Dismiss stale PR reviews when new commits are pushed” and make yourself a required reviewer. If you’ve got automated testing, enable “Require status checks to pass”. Under “Restrict who can push to matching branches” you can limit direct pushes to just yourself. Your team creates feature branches and opens pull requests, while you keep complete control over what gets merged into protected branches.
I implemented a similar setup six months back and encountered some issues that might help you avoid complications. Besides basic branch protection settings, enable ‘Require branches to be up to date before merging’ to prevent conflicts when multiple pull requests are active. Additionally, establish a CODEOWNERS file in your repository’s root; placing an asterisk will designate you as the owner of all files, automatically making you a required reviewer for each pull request. This serves as a safeguard if someone neglects to tag you as a reviewer. One important note: be aware that admin privileges normally allow users to bypass branch protection settings. Ensure you check ‘Include administrators’ in the protection settings so that your teammates cannot merge without your approval. Once everyone gets acclimated, the workflow should run smoothly — they will push to feature branches, initiate pull requests, and await your approval before merging into the main branches.
definitely check out the branch protection rules! in settings, under branches, you can set it up so only you can merge to master or prod. just make sure to select “require pull request reviews” and add yourself as a reviewer. been using this and it’s super effective!