Phabricator + protected GitHub repos


#1

I have an existing repo on GitHub that I’d like to try using Differential to do code reviews for, but I want to keep the repo’s master branch protected, so end users can’t push directly to it without code review/green CI, and I also want to all people currently using GitHub pull requests to be able to continue using that workflow.

Is this possible with Phabricator? I was planning on doing something like:

  • Give Phabricator direct access to push master
  • Host a copy (clone? mirror? not sure) of the repo on Phabricator. Protect master on Phabricator’s copy too, to require code review/green CI.
  • When you push to master on Phabricator’s copy of the repo, the changes also get pushed upstream to GitHub.

Is that possible?


#2

You can either have the “Real” repository in Phabricator and mirrored to GitHub, or in GitHub and Observed by Phabricator - otherwise you risk having conflicts between the two copies.
If it’s hosted in Phabricator, you can’t use GH’s Pull Requests, so you want to have Phabricator Observe the Github repo, and Differential landing to happen directly to GH .

You can then use some kind of local hack to build a variant of T182, to have Phabricator run the land code by pushing to Github; This will run as a specific GH account which has permission to bypass the GH Protection; You’ll make sure in your code to properly protect against evil pushes.


#3

Interesting, ok. Not sure exactly what I’m supposed to be looking at from that link, but you’re saying there should be a way to get arc land or some other “landing” flow to push to GH via the Phabricator server?


#4

There is a way to put a button on Phabricator’s Review page which will Land to Github… unfortunately though, this way still (I think) involves writing custom PHP code and adding it to your Phabricator install (Or writing a different service in your favorite language, that will run the arc land using the super-pusher credentials).

arc land runs from the computer of the user that runs it; It can definitely target Github, but GH won’t understand that the change has been through review, so it will be blocked. Unless you somehow allow the set of users who use Phabricator to bypass the GH protection.

There are other, more complicated solutions, that require more code and are more confusing to use.


#5

T182 is the general-purpose “add button to Revision page to Land” task, which includes things such as this flow. We even had code once to Land directly to GH, but it was removed because it was pretty bad.