Admin owned protected branch rules
In tightly controlled environments, like those that have regulatory review requirements, it is critical that only reviewed code reaches master. This can be configured using protected branches by setting 'No one' to have push permissions for
master, but this can be changed by anyone with Owner or Master permissions for the project. These organizations need a mechanism to enforce this rule and prevent it being changed or removed except by an Admin.
A large company with over 10,000 repos wants to move to GitLab needs to ensure that only specifically authorized users can EVER push to the master branch. They need to be able to enforce no one can push to master for regulatory reasons.
- Add attribute to protected branches denoting if the rule can only be edited/removed by an admin
- Update the API to allow checking and setting this attribute
- Update the protected branch interface to show admin owned protected branches and prevent them from being removed by non-admins
- Update the protected branch interface to allow admins to add/edit/remove admin owned protected branches
The unprotect permissions and API will allow customers to automatically protect projects with the following configuration:
- The GitLab system hook is triggered by new projects, notifying a script a new project needs to be protected
- A script uses the GitLab API to create an 'admin owned' protected branch that only admins can change or remove that sets Allowed to push to 'No one'
Future possible enhancements:
- add a method for automatically applying protected branches to new and imported projects, perhaps using project templates or a new admin setting.
Links / references
- Templated project creation - Issue #1602
- Approvers based on code owners - Issue #1012