ルールセットでレビューを却下できるユーザーを制限する機能 Restrict who can dismiss reviews in rulesets
- GitHubのルールセットにプルリクエストのレビューを却下できるユーザーやチームを限定する機能が追加された。
- これにより組織はコードレビューの統制を強化し、承認済みレビューが不適切に却下されるリスクを軽減できる。
English summary
- GitHub rulesets now support restricting which users or teams can dismiss pull request reviews, giving organizations stronger and more explicit governance over their code review process.
GitHubは、リポジトリの保護設定を管理する「ルールセット(rulesets)」に、プルリクエストのレビューを却下(dismiss)できるユーザーやチームを限定する新機能を追加した。承認済みのレビューが不適切に取り消される事態を防ぎ、組織がコードレビューの統制をより明示的に強化できるようになる点が特徴だ。
前提として、GitHubのプルリクエストではレビュアーが「承認」「変更を要求」「コメント」といった評価を残せる。このうち既存のレビューを無効化する「却下」操作は、これまで書き込み権限を持つメンバーが比較的広く実行できるケースがあり、承認プロセスの抜け穴になりうるという指摘があった。今回の機能では、この却下を実行できる主体をルールセット上で明示的に指定できる。
ルールセットは、従来の「ブランチ保護ルール(branch protection rules)」を発展させた仕組みで、組織レベルでまとめて適用したり、複数のルールを重ねて評価したりできる柔軟性を持つ。GitHubは近年、機能をルールセットへ集約する方向にあり、今回の追加もその一環と位置づけられる。
GitHubのルールセットにプルリクエストのレビューを却下できるユーザーやチームを限定する機能が追加された。
この変更は、ソフトウェアサプライチェーンのセキュリティやコンプライアンス対応を重視する組織にとって意味が大きい。承認済みコードが正規の手続きを経ずにマージされるリスクを抑えられるためで、SOC 2やISO関連の監査要件を満たすうえでも有用と見られる。同様の統制は、GitLabのマージリクエスト承認ルールなど競合サービスでも提供されており、コードレビューの権限をきめ細かく制御したいという需要は業界全体で高まっている。
一方で、却下できる担当者を絞りすぎると、緊急時の対応が滞る可能性もある。運用にあたっては、権限を持つチームの構成や、担当者不在時の代替手段をあらかじめ整理しておくことが望ましいだろう。
GitHub has added the ability to restrict which users or teams can dismiss pull request reviews through rulesets, giving organizations more precise control over one of the more sensitive actions in the code review workflow. Dismissing a review effectively removes a prior approval or a "changes requested" verdict from the record, so governing who can perform that action matters for teams that treat review as a compliance or security gate rather than a courtesy.
In practice, a dismissed review no longer counts toward the approvals a pull request needs before it can merge, and it clears the outstanding objection a reviewer may have raised. In the past, that capability was generally available to anyone with sufficient write or administrative access to the repository, which meant an author or a colleague could, in principle, wave away a reviewer's blocking feedback. The new ruleset option lets administrators name the specific users, teams, or roles permitted to dismiss reviews, so the action is limited to a trusted subset instead of being implicitly granted to a broad group.
The feature lands within rulesets, GitHub's newer governance layer that overlaps with and increasingly supersedes classic branch protection rules. Rulesets were designed to be more flexible and scalable: they can be defined at the repository or organization level, can target multiple branches or tags using naming patterns, can be layered so that several rules apply at once, and expose an evaluation and enforcement model that is easier to audit. They also support an explicit bypass list, letting organizations define exactly who is exempt from a given rule. Branch protection has long included a comparable "restrict who can dismiss pull request reviews" setting, so this change appears aimed at bringing feature parity to rulesets and encouraging teams to consolidate their controls in one place.
For organizations, the practical benefit is stronger and more explicit governance over the review process. Code review is frequently one of the controls cited in internal policies, audit requirements, and software supply chain frameworks, where an approving review serves as evidence that a change was independently examined before shipping. If an approved or blocking review can be dismissed by too many people, that evidence becomes weaker and the control is easier to circumvent. Restricting dismissal to designated reviewers or a security team reduces the risk that a legitimate objection is quietly removed to unblock a merge, whether by mistake or intent.
It is worth distinguishing this control from adjacent review settings that rulesets already offer. Requiring a minimum number of approvals, requiring review from code owners, and dismissing stale approvals automatically when new commits are pushed all shape how reviews accumulate and expire. The new option instead governs the manual act of clearing a review that already exists. Used together, these rules let an organization describe a fairly complete review policy: how many approvals are needed, who must give them, when they reset, and now who is allowed to discard them.
The change fits a broader industry emphasis on tightening the controls around code before it reaches production. Concerns about supply chain integrity, reflected in frameworks such as SLSA and in various regulatory and internal audit expectations, have pushed platforms to make review and merge policies more granular and more auditable. Restricting review dismissal is a small but meaningful piece of that picture, because it closes a path by which an otherwise enforced review requirement could be neutralized.
Teams evaluating the feature should confirm how it interacts with existing branch protection rules, since running overlapping configurations across both systems can make the effective policy harder to reason about. Organizations that have not yet migrated from branch protection to rulesets may want to review where each control is defined and consolidate where it makes sense. As with other ruleset options, administrators can scope the restriction to specific repositories or apply it organization-wide, and the bypass mechanism remains available for cases where a defined set of actors needs to operate outside the rule. The capability is configured alongside GitHub's other pull request rules, so existing review policies can be extended without a separate workflow.
本ページの本文・要約は AI による自動生成です。正確性は元記事 (github.blog) をご確認ください。