Hey there! As someone who’s built and refined compliant GitHub workflows for commercial software teams, let’s break down your questions clearly:

To prevent anyone from pushing directly to your master (or main) branch, these are the non-negotiable settings:

• Create a branch protection rule for master/main: This is the foundation—without a rule, none of the restrictions apply.
• Check "Restrict pushes to matching branches": Exactly what you noted—this blocks all direct pushes to the branch by default.
• Check "Include administrators": Don’t skip this! By default, repo admins can bypass branch rules; enabling this ensures everyone (even admins) follows the workflow unless you set exceptions.
• Require pull request reviews before merging: This forces all changes to go through a PR, eliminating the possibility of direct commits entirely.
• Optional but recommended: Require status checks to pass: If you use CI/CD tools (like unit tests, code linters, or security scans), this ensures only validated code makes it to master.

You’ve already checked "Restrict pushes to matching branches"—great start. To enforce your workflow (junior devs submit PRs for review, only senior leads can merge/push to master), add these critical settings:

• Check "Require pull request reviews before merging": This locks down the branch so junior engineers can’t push directly—they have to submit a PR for approval.
• Set "Required reviewers": In the branch protection rule, add your senior lead(s) as mandatory reviewers. This means their explicit approval is required before any PR can be merged into master.
• Check "Include administrators": Ensure even other repo admins can’t bypass the rules—keep the workflow consistent across the team.
• Optional: Add leads to the "Bypass list": If you need to let leads push directly in emergency cases (though we strongly recommend sticking to PRs even then), add their GitHub accounts here. This lets them skip the review requirement only when absolutely necessary.
• Optional: Enforce linear history: Check "Require linear history" to ensure merged PRs use rebase instead of merge commits. This keeps your master branch history clean and easier to audit—perfect for compliance-focused environments.

内容的提问来源于stack exchange，提问作者Bob Wakefield