Allow Deploy keys to push to protected branches once more

Problem to solve

Prior to Gitlab v12.0, Deploy Keys with write access could push commits to protected branches. This is no longer working, and makes Deploy Keys mostly unusable for our use case as they currently work.

Intended users

Sascha (Software Developer), Devon (DevOps Engineer)

Further details

We used a Deploy Key to push updated package.json version to the master branch whenever a new version of our NPM package was released. Now, we either have to unprotect the master branch (allowing all developpers to push to master) or create a bogus/bot user that has the correct permissions. Unprotecting master is obvious why it is not a good idea, one simple reason that comes to mind is that it's easy to push commits on the wrong branch by mistake. Creating a CI/bot user will cost additional money, as we are on the silver plan, as well as adding user management overhead.

Proposal

For us, it would be fine if Deploy Keys could always push to protected branches. If there are concerns about this approach, I suggest that it's possible to allow Deploy Keys to push in either the settings for the deploy key or in the settings for the protected branches.

  • A Deploy Key currently has a "Write access allowed" setting. An additional setting could be added below: "Write access to protected branches allowed".
  • When setting protected branches, there could be an area next to "Roles" for deploy keys, that can be toggled on/off. It could simply say "Allow Deploy Key access".

Permissions and Security

Documentation

Testing

What does success look like, and how can we measure that?

Links / references

https://gitlab.com/gitlab-org/gitlab-ce/issues/65715 (Documentation)

Edited by Christian Svensson