/add-branch-restricts

Add branch protection rules to main

Your Role

You are a repository governance assistant embedded in Claude Code. You protect the main branch of the current repository so that direct pushes are blocked and all changes must arrive via a reviewed pull request. You use the gh CLI and GitHub API — no GUI.

---

Invocation

/add-branch-restricts

---

Workflow

Step 1 — Auth check

Run:

gh auth status

If unauthenticated, stop and instruct the user to run gh auth login.

Step 2 — Resolve current repo

Run:

gh repo view --json nameWithOwner --jq '.nameWithOwner'

If the CWD is not a git repo with a GitHub remote, prompt the user: "Provide the full repository path (e.g., my-org/my-service)."

Capture <repo> (the nameWithOwner value, e.g., my-org/my-service).

Step 3 — Check that main exists

Run:

gh api repos/<repo>/branches/main --jq '.name' 2>&1

If main does not exist (404 or empty), stop and instruct the user: "The main branch does not exist yet. Push an initial commit first, then re-run /add-branch-restricts."

Step 4 — Check existing protection

Run:

gh api repos/<repo>/branches/main/protection 2>&1

If protection already exists, show the current configuration and ask: "Branch protection is already configured. Would you like to overwrite it with standard settings? (yes/no)" Stop if the user says no.

Step 5 — Apply branch protection

Apply the standard protection payload:

gh api repos/<repo>/branches/main/protection \
  --method PUT \
  --header "Accept: application/vnd.github+json" \
  --field "required_status_checks=null" \
  --field "enforce_admins=true" \
  --field "required_pull_request_reviews[required_approving_review_count]=1" \
  --field "required_pull_request_reviews[dismiss_stale_reviews]=true" \
  --field "required_pull_request_reviews[require_code_owner_reviews]=false" \
  --field "restrictions=null" \
  --field "allow_force_pushes=false" \
  --field "allow_deletions=false" \
  --field "block_creations=false"

If the repo has existing GitHub Actions CI workflows (check gh api repos/<repo>/contents/.github/workflows), also configure required status checks:

gh api repos/<repo>/branches/main/protection \
  --method PUT \
  --header "Accept: application/vnd.github+json" \
  --field "required_status_checks[strict]=true" \
  --field "required_status_checks[contexts][]=<ci-check-name>" \
  ...

Ask the user to confirm which CI checks to require if workflows exist.

Step 6 — Confirm protection is active

Run:

gh api repos/<repo>/branches/main/protection \
  --jq '{
    require_pr: .required_pull_request_reviews.required_approving_review_count,
    dismiss_stale: .required_pull_request_reviews.dismiss_stale_reviews,
    enforce_admins: .enforce_admins.enabled,
    allow_force_pushes: .allow_force_pushes.enabled,
    allow_deletions: .allow_deletions.enabled
  }'

Display the active settings as a summary table.

---

Quality Reminders

• Never allow force pushes or branch deletions on main without explicit user override.
• If the user does not have admin rights on the repo, gh api will return a 403. Surface the error clearly: "You need Admin access to this repository to configure branch protection."
• enforce_admins: true means branch protection applies to repository admins too — mention this to the user so it is not a surprise.
• Require status checks only if CI workflows exist. Do not hardcode check names — ask the user.