Set the full branch-protection config for a branch
Set (or replace) a branch’s protection in one call.
Before you call this
Section titled “Before you call this”Decide the full desired state for all three fields first. GitHub’s PUT endpoint takes the complete desired state per call, not a partial patch — an omitted field is not “leave as-is,” it disables that protection. This tool’s schema makes all three fields required for exactly that reason.
update_branch_protection { "owner": "<owner>", "repo": "<repo>", "branch": "<branch>", "requiredStatusChecks": { "strict": true, "contexts": ["ci / build"] }, "enforceAdmins": true, "requiredApprovingReviewCount": 1}Pass "requiredStatusChecks": null explicitly if you don’t want any
required status checks — you cannot omit the field.
Result
Section titled “Result”Same shape as get-branch-protection.md’s result, reflecting what was just set.
Getting contexts right
Section titled “Getting contexts right”Each entry in requiredStatusChecks.contexts must be the exact
check-run name GitHub reports for a workflow job:
workflow-name / job-name. A display label or a bare name that doesn’t
match the reported check-run name silently blocks nothing — the branch
will look protected but the check won’t actually gate merges.
The tool sends restrictions: null to GitHub internally (no push
restrictions) — this plugin doesn’t expose push restrictions as an
input yet. Verify the result with
get-branch-protection.md rather than
trusting the write call alone as confirmation.