> ## Documentation Index
> Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt
> Use this file to discover all available pages before exploring further.

# GH_CanWriteBranch

> [Repository - Computed] Role can push to this branch after evaluating branch protection rules, push restrictions, and bypass allowances

<img noZoom src="https://mintcdn.com/specterops/tTIczgde9H07oLXf/assets/enterprise-AND-community-edition-pill-tag.svg?fit=max&auto=format&n=tTIczgde9H07oLXf&q=85&s=ad49a576589f4d2a8081df77d07fdf56" alt="Applies to BloodHound Enterprise and CE" width="482" height="45" data-path="assets/enterprise-AND-community-edition-pill-tag.svg" />

## Edge Schema

* Source: [GH\_RepoRole](/opengraph/extensions/github/nodes/gh_reporole), [GH\_User](/opengraph/extensions/github/nodes/gh_user), [GH\_Team](/opengraph/extensions/github/nodes/gh_team)
* Destination: [GH\_Branch](/opengraph/extensions/github/nodes/gh_branch)
* Traversable: ✅

## General Information

The traversable GH\_CanWriteBranch edge is a computed edge indicating that a role or actor can push to a specific branch. The computation evaluates both the merge gate (PR review requirements) and push gate (push restrictions) of any branch protection rule protecting the branch. Role-level edges are the common case; per-actor edges from [GH\_User](/opengraph/extensions/github/nodes/gh_user) or [GH\_Team](/opengraph/extensions/github/nodes/gh_team) are only emitted when BPR allowances grant access beyond what the role provides. Each edge includes a `reason` property (`no_protection`, `admin`, `push_protected_branch`, `bypass_branch_protection`, `push_allowance`, `bypass_pr_allowance`) and a `query_composition` Cypher query showing the underlying graph evidence.

## Scenarios

### `no_protection` — Unprotected branch

Branch has no BPR. Any write-capable role can push directly.

```mermaid theme={null}
graph LR
    role("GH_RepoRole write") -->|GH_WriteRepoContents| repo("GH_Repository")
    repo -->|GH_HasBranch| branch("GH_Branch develop")
    role ==>|GH_CanWriteBranch| branch
```

### `admin` — Admin bypasses both gates

BPR blocks both the merge gate (PR reviews) and push gate (push\_restrictions). The admin role bypasses both gates. Requires `enforce_admins=false`; when `enforce_admins=true`, admin cannot bypass the merge gate.

```mermaid theme={null}
graph LR
    role("GH_RepoRole admin") -->|GH_AdminTo| repo("GH_Repository")
    repo -->|GH_HasBranch| branch("GH_Branch main")
    bpr("GH_BranchProtectionRule\nrequired_pull_request_reviews\npush_restrictions\nenforce_admins=false") -->|GH_ProtectedBy| branch
    role ==>|GH_CanWriteBranch| branch
```

### `push_protected_branch` — Push gate bypass

Push gate blocked by `push_restrictions` (no merge gate block). The [GH\_PushProtectedBranch](/opengraph/extensions/github/edges/gh_pushprotectedbranch) permission bypasses the push gate regardless of `enforce_admins`.

```mermaid theme={null}
graph LR
    role("GH_RepoRole maintain") -->|GH_WriteRepoContents| repo("GH_Repository")
    role -->|GH_PushProtectedBranch| repo
    repo -->|GH_HasBranch| branch("GH_Branch main")
    bpr("GH_BranchProtectionRule\npush_restrictions") -->|GH_ProtectedBy| branch
    role ==>|GH_CanWriteBranch| branch
```

### `bypass_branch_protection` — Merge gate bypass

Merge gate blocked by PR reviews. The [GH\_BypassBranchProtection](/opengraph/extensions/github/edges/gh_bypassbranchprotection) permission bypasses the merge gate. Requires `enforce_admins=false`; suppressed when `enforce_admins=true`.

```mermaid theme={null}
graph LR
    role("GH_RepoRole custom") -->|GH_WriteRepoContents| repo("GH_Repository")
    role -->|GH_BypassBranchProtection| repo
    repo -->|GH_HasBranch| branch("GH_Branch main")
    bpr("GH_BranchProtectionRule\nrequired_pull_request_reviews\nenforce_admins=false") -->|GH_ProtectedBy| branch
    role ==>|GH_CanWriteBranch| branch
```

### `push_allowance` — Per-actor push restriction bypass

User or Team listed in the BPR's `pushAllowances` bypasses the push gate. This is a per-actor delta edge — only emitted when the actor's role-level access doesn't already cover the branch.

```mermaid theme={null}
graph LR
    user("GH_User alice") -->|GH_HasRole| role("GH_RepoRole write")
    role -->|GH_WriteRepoContents| repo("GH_Repository")
    repo -->|GH_HasBranch| branch("GH_Branch main")
    bpr("GH_BranchProtectionRule\npush_restrictions") -->|GH_ProtectedBy| branch
    user -->|GH_RestrictionsCanPush| bpr
    user ==>|GH_CanWriteBranch| branch
```

### `bypass_pr_allowance` — Per-actor PR review bypass

User or Team listed in the BPR's `bypassPullRequestAllowances` bypasses the merge gate (PR reviews only, not `lock_branch`). Requires `enforce_admins=false`. This is a per-actor delta edge — only emitted when the actor's role-level access doesn't already cover the branch.

```mermaid theme={null}
graph LR
    user("GH_User alice") -->|GH_HasRole| role("GH_RepoRole write")
    role -->|GH_WriteRepoContents| repo("GH_Repository")
    repo -->|GH_HasBranch| branch("GH_Branch main")
    bpr("GH_BranchProtectionRule\nrequired_pull_request_reviews\nenforce_admins=false") -->|GH_ProtectedBy| branch
    user -->|GH_BypassPullRequestAllowances| bpr
    user ==>|GH_CanWriteBranch| branch
```