Allow specifying protected branches using wildcards

Merged Timothy Andrew requested to merge 18627-wildcard-branch-protection into master

Closes #18627 (closed)


  • #18627 (closed) !4665 (merged) Allow specifying protected branches using wildcards
    • Find existing usages of protected branches
      • Protecting branches
        • ProtectedBranchesController is used to mark a branch protected/unprotected
        • API::Branches can be used to mark a branch protected/unprotected
      • Enforcing branch protection
        • Gitlab::GitAccess has helpers (can_push_to_branch?, check) that are used to deny pushes if a branch is protected
        • Over SSH: gitlab-shell receives a push, and calls /allowed on the GitLab API, which calls GitAccess.check
        • Over HTTP:
          • gitlab-workhorse receives the request, and forwards it to rails
          • Rails (in the GitHttpController#git-recieve-pack) runs basic checks (is the user logged in, not protected branch checks) and returns ok with GL_ID and RepoPath
          • gitlab-workhorse looks at the response, and calls the relevant gitlab-shell action from git-http/handlePostRPC
          • Rest of this flow is the same as the SSH flow above
    • Implementation
      • Backend
        • Change project#protected_branch? to look at wildcard protected branches
        • Change project#developers_can_push_to_protected_branch?
        • Change project#open_branches
        • Better error message when creating a disallowed branch from the Web UI
      • Frontend
        • Protected branches page should allow typing out a wildcard pattern
        • Add help text explaining the use of wildcards
        • Show matching branches for each protected branch
          • On the index page
          • On a show page
          • Index?
        • Can't have the "last commit" column for wildcard protected branches
    • Fix / write tests
    • What happens if a hook is missing in dev?
    • Refactor
    • Test workflows
      • Create a branch matching a wildcard pattern
      • Push to a branch matching a wildcard pattern
      • Force push to a branch matching a wildcard pattern
      • Delete a branch matching a wildcard pattern
      • Test using Web UI
      • Test over SSH
      • Test over HTTP
      • Test as developer and master
    • Investigate performance
      • Test with a large number of protected branches / branches
      • Paginate list of protected branches
      • Possibly rewrite open_branches
    • Add iids to existing ProtectedBranches
    • Add documentation
    • Add CHANGELOG entry
    • Add screenshots
    • Make sure build passes
    • Assign to endboss for review
    • Address @DouweM's comments
      • protected_branch_params
      • exact_match instead of explicit_match
      • When would be blank?
      • Move protected_branches.each to a partial
      • Move matching_branches.each to a partial
      • If the branch is in @matching_branches, it's not been removed
      • move this regex to a method and memoize it
      • commit_sha directly for exact matches
      • Number of matches for wildcard matches, with a link
    • Wait for build to pass
    • Respond to @DouweM's comments
      • Don't use iid
      • Controller should use
      • move the memoization to def wildcard_regex
      • render with collection: @protected_branches
    • Wait for build to pass
    • Wait for @DouweM's review
    • Wait for @jschatz1's review
    • Respond to @jschatz1's comments
      • Use the new dropdown style
      • description should be moved to the description section without the styling
      • Protect button should be disabled when no branch is selected
    • Update screenshots
    • Merge conflicts
    • Make sure build passes
    • Revisit performance, possibly with staging/production data
      • Get a dump of staging / run against staging live
        • Get SSH access to staging
    • Wait for review/merge


Creating wildcard protected branches

1 2 3 4

Using the GLDropdown component


Enforcing wildcard protected branches

From the Web UI


Over SSH




Listing matching branches