Github branch protection questions and codeowners file

Question

I have several questions on Github security

(1) For protected branches, is the Maintain Role, and the Admin role the only ones that can merge to it? I noticed Write can't do it.

(2) If I had a Team that had Maintain Access to my repo, why would I need that same team in CODEOWNERS file for approval? What is the use-case for using CODEOWNERS file then?

(3) Is there any way to enforce approval from the CODEOWNERS file, and not users who have WRITE or MAINTAIN access? Seems like those two groups can approve a PR also.

Answer 1

Regarding the first point ("For protected branches, is the Maintain Role, and the Admin role the only ones that can merge to it?"), since Feb. 2023, you have a new option/role:

Manage branch protection rules with a new permission (Feb. 2023)

You can now create a custom role to manage branch protections without having to grant the Admin role.
Previously, to manage branch protections you had to be an Admin which provides additional permissions that may not be needed.
For tighter control of Admin permissions, you can now craft a custom role that has the Edit repository rules permission, allowing just the right amount of access.

This permission grants the ability to create, edit, and delete both branch protection rules and protected tags.

For more information, visit Managing custom repository roles for an organization in the GitHub documentation.

We appreciate feedback on this in GitHub's public feedback discussions.