Three steps are involved with connecting Merge Freeze to a protected branch in Github: Authorise Merge Freeze to access some of your details, Install the Merge Freeze App on your Github organisation or personal account, and Add a protected branch so Merge Freeze knows which pull requests to monitor.
We use Github as the only method for authenticating who you are. We don’t use email/password combinations or any other method to sign you in. This is because we need to ask Github what repositories you belong to that also have the Merge Freeze App installed on them.
Unfortunately Github does not provide your email address when authenticating via a Github App rather than an OAuth App (more information below), so we still need to ask you to provide an email address so that we can communicate with you if we need to.
Merge Freeze is a Github App. Github Apps offer much more granular permissions than Github OAuth Apps and do not belong to any one user. They can be installed either on a whole organisation or only on specific repositories by anyone who is an owner or has admin rights.
Merge Freeze works by adding a status check to any pull request that wants to merge into a protected branch of your choosing, usually
master. Once you have chosen a repository and a protected branch Merge Freeze will automatically send status updates to all pull requests wanting to merge into it (SUCCESS by default until you toggle your first merge freeze).
If "Only repository admins can freeze" is checked in the project settings, then only users with Github admin privileges on the project's repository can implement a freeze via the web UI. This restriction is also prevents non-admins from unfreezing a project, unfreezing and re-freezing single pull requests during a freeze, or unfreezing deployments if the web API is being used in a deployments script.
If "Only repository admins can freeze" is not checked then anyone who has access to a repository that has Merge Freeze installed on it will have the option to implement a merge freeze through the web UI. Here’s how Github defines access to a repository:
The authenticated user has explicit permission to access repositories they own, repositories where they are a collaborator, and repositories that they can access through an organization membership.
If a project has been connected to Slack then anyone in that Slack team can also implement a merge freeze using the
/mergefreeze Slack command.
In addition to implementing a merge freeze any of the above users can also unfreeze and re-freeze single pull requests during a freeze, or unfreeze deployments if the web API is being used in a deployments script.
Users must have Github admin privileges to the repository in order to add, update and delete recurring freezes; connect, disconnect and change the channel of a protected branch’s Slack notifications; and update a protected branch’s web API auth token.