Rulesets

The rulesets section configures GitHub rulesets, which provide advanced protection for branches and tags. Rulesets offer more flexibility than traditional branch protection rules and can be applied at the organization or repository level.

Basic Configuration

name

string

required

The name of the ruleset.

rulesets:
  - name: Production Protection

target

string

required

The target of the ruleset. Can be:

branch - Apply rules to branches
tag - Apply rules to tags

rulesets:
  - name: Production Protection
    target: branch

enforcement

string

required

The enforcement level of the ruleset. evaluate allows admins to test rules before enforcing them.

disabled - Ruleset is disabled
active - Ruleset is actively enforced
evaluate - Ruleset runs in evaluation mode (not enforced)

rulesets:
  - name: Production Protection
    target: branch
    enforcement: active

Bypass Actors

bypass_actors

array

The actors that can bypass the rules in this ruleset.

actor_id

number

required

The ID of the actor.

actor_type

string

required

The type of actor that can bypass a ruleset:

RepositoryRole - A repository role (e.g., maintain, write)
Team - A team ID
Integration - A GitHub App installation ID
OrganizationAdmin - Organization administrators (use actor_id: 1)

bypass_mode

string

required

When the specified actor can bypass the ruleset:

always - Can always bypass
pull_request - Can only bypass rules on pull requests

rulesets:
  - name: Production Protection
    target: branch
    enforcement: active
    bypass_actors:
      - actor_id: 1
        actor_type: OrganizationAdmin
        bypass_mode: always
      - actor_id: 1234
        actor_type: Team
        bypass_mode: pull_request

Conditions

conditions

object

Conditions that determine which refs the ruleset applies to.

conditions.ref_name

object

Parameters for a repository ruleset ref name condition.

include

array

required

Array of ref names or patterns to include. One of these patterns must match for the condition to pass. Also accepts:

~DEFAULT_BRANCH - The repository’s default branch
~ALL - All branches or tags

exclude

array

Array of ref names or patterns to exclude. The condition will not pass if any of these patterns match.

conditions.repository_name

object

Only available for organization-level rulesets. Parameters for repository name matching.

include

array

required

Array of repository names or patterns to include. Also accepts ~ALL to include all repositories.

exclude

array

Array of repository names or patterns to exclude.

protected

boolean

Whether renaming of target repositories is prevented.

rulesets:
  - name: Production Protection
    target: branch
    enforcement: active
    conditions:
      ref_name:
        include:
          - "~DEFAULT_BRANCH"
          - "refs/heads/release/*"
        exclude:
          - "refs/heads/release/old"

Rules

rules

array

required

An array of rules to enforce. Each rule is an object with a type field and optional parameters.

Basic Rules

type: creation

string

Prevent users from creating matching refs.

rules:
  - type: creation

type: update

string

Prevent users from updating matching refs.

rules:
  - type: update
    parameters:
      update_allows_fetch_and_merge: true

type: deletion

string

Prevent users from deleting matching refs.

rules:
  - type: deletion

type: required_linear_history

string

Prevent merge commits from being pushed to matching refs.

rules:
  - type: required_linear_history

type: required_signatures

string

Require commits to be signed.

rules:
  - type: required_signatures

Pull Request Rule

type: pull_request

string

Require pull requests before merging.

rules:
  - type: pull_request
    parameters:
      dismiss_stale_reviews_on_push: true
      require_code_owner_review: true
      require_last_push_approval: true
      required_approving_review_count: 1
      required_review_thread_resolution: true

Status Checks Rule

type: required_status_checks

string

Require status checks to pass before merging.

parameters.strict_required_status_checks_policy

boolean

Whether pull requests must be tested with the latest code.

parameters.required_status_checks

array

Array of status checks that must pass.Each item has:

context (string, required) - The status check name
integration_id (integer) - The GitHub App integration ID

rules:
  - type: required_status_checks
    parameters:
      strict_required_status_checks_policy: true
      required_status_checks:
        - context: CodeQL
          integration_id: 1234
        - context: CI
          integration_id: 5678

Using `{{EXTERNALLY_DEFINED}}`

To allow status checks to be managed outside of Safe Settings, use the special override. This prevents Safe Settings from modifying status checks added manually.

rules:
  - type: required_status_checks
    parameters:
      strict_required_status_checks_policy: true
      required_status_checks: '{{EXTERNALLY_DEFINED}}'

Workflows Rule

type: workflows

string

Require specific workflows to pass before merging.

rules:
  - type: workflows
    parameters:
      workflows:
        - path: .github/workflows/ci.yml
          repository_id: 123456
          ref: refs/heads/main

Required Deployments Rule

type: required_deployments

string

Require deployments to specific environments to succeed before merging.

rules:
  - type: required_deployments
    parameters:
      required_deployment_environments:
        - staging
        - production

Pattern Rules

type: commit_message_pattern

string

Require commit messages to match a pattern.

rules:
  - type: commit_message_pattern
    parameters:
      name: Commit message pattern
      negate: false
      operator: starts_with
      pattern: "feat:"

type: commit_author_email_pattern

string

Require commit author emails to match a pattern.

rules:
  - type: commit_author_email_pattern
    parameters:
      name: Author email pattern
      negate: false
      operator: regex
      pattern: "^.*@example.com$"

type: committer_email_pattern

string

Require committer emails to match a pattern.

rules:
  - type: committer_email_pattern
    parameters:
      name: Committer email pattern
      negate: false
      operator: regex
      pattern: "^.*@example.com$"

type: branch_name_pattern

string

Require branch names to match a pattern.

rules:
  - type: branch_name_pattern
    parameters:
      name: Branch name pattern
      negate: false
      operator: regex
      pattern: "^(feature|bugfix)/.*"

type: tag_name_pattern

string

Require tag names to match a pattern.

rules:
  - type: tag_name_pattern
    parameters:
      name: Tag name pattern
      negate: false
      operator: regex
      pattern: "^v[0-9]+\\.[0-9]+\\.[0-9]+$"

Complete Example

rulesets:
  - name: Production Branch Protection
    target: branch
    enforcement: active
    
    bypass_actors:
      - actor_id: 1
        actor_type: OrganizationAdmin
        bypass_mode: always
      - actor_id: 5678
        actor_type: Team
        bypass_mode: pull_request
    
    conditions:
      ref_name:
        include:
          - "~DEFAULT_BRANCH"
          - "refs/heads/release/*"
        exclude:
          - "refs/heads/release/old"
    
    rules:
      - type: creation
      - type: update
        parameters:
          update_allows_fetch_and_merge: true
      - type: deletion
      - type: required_linear_history
      - type: required_signatures
      
      - type: pull_request
        parameters:
          dismiss_stale_reviews_on_push: true
          require_code_owner_review: true
          require_last_push_approval: true
          required_approving_review_count: 2
          required_review_thread_resolution: true
      
      - type: required_status_checks
        parameters:
          strict_required_status_checks_policy: true
          required_status_checks:
            - context: CodeQL
              integration_id: 1234
            - context: CI
              integration_id: 5678
      
      - type: commit_message_pattern
        parameters:
          name: Conventional commits
          negate: false
          operator: regex
          pattern: "^(feat|fix|docs|chore):"

Repository vs Organization Rulesets

Rulesets can be defined at two levels:

Repository level: Defined in repository settings files, applies only to that repository
Organization level: Defined in org-level settings files, can target multiple repositories using conditions.repository_name

Safe Settings automatically determines the scope based on where the ruleset is defined.

API Reference

For more details, see GitHub’s REST API documentation:

Get Started

Deployment

Configuration

Settings Reference

Advanced

Operations

Basic Configuration

Bypass Actors

Conditions

Rules

Basic Rules

Pull Request Rule

Status Checks Rule

Using `{{EXTERNALLY_DEFINED}}`

Workflows Rule

Required Deployments Rule

Pattern Rules

Complete Example

Repository vs Organization Rulesets

API Reference

Build docs developers (and LLMs) love

Get Started

Deployment

Configuration

Settings Reference

Advanced

Operations

​Basic Configuration

​Bypass Actors

​Conditions

​Rules

​Basic Rules

​Pull Request Rule

​Status Checks Rule

​Using {{EXTERNALLY_DEFINED}}

​Workflows Rule

​Required Deployments Rule

​Pattern Rules

​Complete Example

​Repository vs Organization Rulesets

​API Reference

Build docs developers (and LLMs) love

Basic Configuration

Bypass Actors

Conditions

Rules

Basic Rules

Pull Request Rule

Status Checks Rule

Using `{{EXTERNALLY_DEFINED}}`

Workflows Rule

Required Deployments Rule

Pattern Rules

Complete Example

Repository vs Organization Rulesets

API Reference