How to restrict team members from merging the changes that they did in there forked repository to base repository?

Question

I have created a base repository and sent request to my friend to become the collaborator of my project. He forked mine repository and did some changes there. And then he created a pull request for me to merge changes that he did. But along with it he is also getting the option for merging the changes to base repository i.e. mine repository without my permission. How i can restrict it ? I mean how only can merge the request instead of my all team members.

Actually, i have tried it on a single PC where i have opened the main account on browser and another account on the incognito tab. And created the pull request from my another account to main account but in my another account i have got option to merge changes to base repository which is of my main account and when i do so the changes reflects to my main account GitHub repository also.

Help me fixing it. If i am wrong somewhere then tell me the procedure that my friends only can create pull requests and i will merge them after check.

Answer 1

To protect a branch on your repository GitHub page:

1. Open Settings tab at the top right
2. Click Branches in the left-hand column
3. Select the branch you want to protect/restrict access to
4. To the right of Branch Protection Rules click Add Rule
5. The Branch name pattern field is the exact name of the branch you want to protect.
6. select Require pull request reviews before merging OR select Require review from Code Owners
7. Click the green Create button at bottom and you're done!

Answer 2

Check first how your target branch (the one used as target for the merge request) is protected.

See "About protected branches", more precisely "Defining the mergeability of pull requests"

You could force "required reviews for pull request"

Repository administrators can require that all pull requests receive a specific number of approving reviews from:

• people with write or admin permissions in the repository
• or from a designated code owner before they're merged into a protected branch.

Regarding patterns, the documentation mentions:

You can create a branch rule in a repository for a specific branch, all branches, or any branch that matches a naming pattern specified with the fnmatch syntax.
For example, to require any branch containing the word release to have at least two pull request reviews before merging, you can create a branch rule for *release*.

You can see an example of fnmatch pattern here.
The full specification of pattern matches is in here, which leads to Patterns Matching a Single Character and Multiple Characters.