I am trying to find out what options there are to protect the CI config files from changes on feture branches.
Circle CI uses a special file in the repository to store the CI configuration.
There is a major issue with this: anybody can just introduce arbitrary changes on a branch of their choosing that is not protected. Is there a way to protect the CI configuration files from such changes on GitHub?
It probably is going to depend somewhat on your use case, as well as what specific things you’re concerned about. If you’re using a model where contributors are forking a copy, you can set some restrictions there.
In general, I would say this is mostly a feature, not a bug, but maybe frame the question in terms of the specific things you’re trying to protect? If you’re concerned about people running jobs with ssh, getting access to secrets, or deploying things, there are probably some things you can do that will help there - with secrets / deploys, you could look at using restricted contexts, there are some new settings around disabling ssh for builds.
There might be some options if you use GH’s option to use regex for branch protection, but I think in most cases, on some level, you’re going to need to trust people who are allowed to contribute, at least at a base level.