Branch protection, Mergify's conditions, and repo permissions

[MattSturgeon]

I'm struggling to understand how github's and mergify's respective protection rules interact with repo permissions.

In particular, as described here.

Would a more permissive merge condition "bypass" a more restrictive branch protection rule?
E.g. a mergify rule that allows merging specific types of PR, with fewer approvals than normally required by github's branch protection.

If not, what prevents users with contents: write permission from bypassing mergify conditions by merging manually?
E.g. an impatient maintainer manually merges a PR that doesn't yet meet mergify's conditions.

I think that'd be possible, because github branch protection would have to be relaxed to support the more permissive mergify conditions?

Would this behave differently if mergify conditions were instead implemented using post_checks?

Another way of asking my question is: does mergify add or remove restrictions, and if so, how? Are its restrictions intended to apply to users with contents: write permission?

Apologies for rambling, I'm struggling to articulate my question!

[DouglasBlackwood]

Hi

Mergify can't bypass GitHub's branch protections. Mergify has its own rules to perform actions, like merging or creating a check-run. See it like a wrapper on GitHub.

If you want to prevent someone from merging manually, you have to protect the branch using GitHub's branch protections, so the UI disables the manual merge. Either Mergify is the only one who can merge, or Mergify can post a check-run (using the post_check action) to meet the branch protection requirements. That's how you achieve finer-grained branch protection.

I hope that answer your question.

[MattSturgeon]

If you want to prevent someone from merging manually, you have to protect the branch using GitHub's branch protections, so the UI disables the manual merge.

Thanks, that's reinforced my understanding!

Either Mergify is the only one who can merge,

Ah, I hadn't realized github had a restrict who can push to matching branches rule. I guess that could be configured as "only mergify can push".

or Mergify can post a check-run (using the post_check action) to meet the branch protection requirements.

I had assumed this would be the only way, i.e. setting require status checks before merging either to strict or loose and then configuring all mergify rules as post_check actions.