105
I suspect many don't enforce it via GitHub functionality, but do implicitly require or recommend reviews.
How many contributors do these projects have? All multiple active?
Don’t have data to answer that, but it’s a very good question. Weighting it by the number of contributors would make the data more honest, and probably more interesting. Will consider a follow-up based on this angle - thanks!
We used to use completely separate tools for code review (in our case because the process was older than git). Some of them might be doing something similar.
This was my first thought - just because your code is on GitHub doesn't mean you're using it for everything.
That's fair, and it's a real limit of measuring GitHub config. If a team runs review or merge gating in a separate tool, or mirrors to GitHub from somewhere that's their actual source of truth, the scan won't see it and they'd look unprotected when they aren't. The finding is really about repos where GitHub is the place the work happens, and even then it's public repos only. Worth saying plainly so the number isn't read as more than it is.
IME some people (at least the ones who care) start more critical repos with good intentions, enabling most of these things.
But then comes a time where a hotfix must be merged asap to production and there's no one to review it for 3 days; branch protection gets disabled.
or an update in the code quality tooling detects an additional dozen warnings without the codebase changing; check enforcement gets disabled.
I think in most cases this is completely fine. Whoever is already a contributor should know what's the team policy merging things, and having ways to occasionally bypass these checks can be more beneficial than not.
That is... shoddy. This is basic stuff.
Okay, now check whether anybody actually reads TOS when they check the box that says they did.
Startups hack things in to production?
Shocked, I tell you.
Right? The part that surprised me was that most of them turn branch protection ON and then don't require any check to pass. So the gate is there, it just doesn't gate anything. Makes me wonder if private repos are the same or if the public ones just get less attention.
Not a start up, but we require code review, even though it is not enforced via rules, to allow emergency overrides.
Gets used maybe once every 300 pull requests though.
Convention over configuration is a thing - so maybe look into their actual merge behavior?
My old workplace had the same'ish. The developer team who owned the service had rights to disable branch protection. Disabling this would create alerts to the manager but allowed an on-call developer to make an emergency bug fix at 2am and get a postmortem review the next day.
Good distinction. If it's useful, GitHub lets you require checks and still grant a bypass for specific people or teams, so the hard rule and the emergency escape hatch can coexist, and the scan reads that as passing. Could be you've already weighed that, in which case ignore me.
Why would you do that?
Because you hate yourself?
Oh, right, you found a tool (self reflect) that let's you do it with zero effort. FU..
this post was submitted on 30 May 2026
105 points (99.1% liked)
Programming
27096 readers
235 users here now
Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!
Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.
Hope you enjoy the instance!
Rules
Rules
- Follow the programming.dev instance rules
- Keep content related to programming in some way
- If you're posting long videos try to add in some form of tldr for those who don't want to watch videos
Wormhole
Follow the wormhole through a path of communities !webdev@programming.dev
founded 3 years ago
MODERATORS