Restrict protected branch unprotection
In tightly controlled environments, like those that have regulatory review requirements, it is critical that only reviewed code reaches master. This can be configured using protected branches by setting 'No one' to have push permissions for
master, but this can be changed by anyone with Owner or Master permissions for the project. These organizations need a mechanism to enforce this rule and prevent it being changed or removed except by an Admin.
A large company with over 10,000 repos wants to move to GitLab needs to ensure that only specifically authorized users can EVER push to the master branch. They need to be able to enforce no one can push to master for regulatory reasons.
- Add attribute
unprotect_levelto protected branches denoting who can edit/remove protected branch rule (e.g. currently masters can, but this will allow owners, or admins)
- Update the API to allow checking and setting this attribute
- Update the protected branch interface to show who can unprotect the protected branch and prevent them from being edited/removed by users without unprotect permissions
Update the protected branch interface to allow users with unprotect permissions to add/edit/remove protected branchesmoved to #5496 (10.8)
The unprotect permissions and API will allow customers to automatically protect projects with the following configuration:
- The GitLab system hook is triggered by new projects, notifying a script a new project needs to be protected
- A script uses the GitLab API to create an 'admin owned' protected branch that only admins can change or remove that sets Allowed to push to 'No one'
Future possible enhancements:
- add a method for automatically applying protected branches to new and imported projects, perhaps using project templates or a new admin setting.
Links / references
- Templated project creation - Issue #1602 (closed)
- Approvers based on code owners - Issue #1012 (closed)