[meta] Branch permissions
Issues
This issue serves as an umbrella issue for the following features:
-
gitlab-org/gitlab-ce#18627 Allow specifying protected branches using wildcards -
gitlab-org/gitlab-ce#18193 Add "developers can merge" as an option for protected branches -
gitlab-org/gitlab-ce#18193 Add "no one can push" as an option for protected branches -
#674 (closed) Restrict pushes / merges (separately) to specific people -
#675 (closed) Restrict pushes / merges (separately) to specific groups -
#720 (closed) Add support for branch level read permissions
Description including problem, use cases, benefits, and/or goals
Some projects have complex requirements in terms of deployments and pushing code. To still be able to use git easily as a team, but not run the risk of accidentally making changes on a branch you shouldn't, you can use protected branches.
However, manually changing every branch to protected can be a lot of work and prevents automation and quick shipping, while maintaining this security. Therefore we want to be able to
- Automatically protect branches based on certain wildcards
- Restrict push access to these branches for specific people (groups or single users)
old proposal
The ability to create rules for protecting branches (1) and to restrict push access to certain people (2).
A rule should consist of one or two things:
- A rule based on when a branch should be protected:
production/*
orproduction
orproduction/the-real-thing
. This should allow for*
wildcards or just a branch name. Other examples:*-stable
,*-stable
. Restrict wildcard use to edges if necessary. - A user or group. If none is used, normal rules for protected branches are applied. If a user or group is added, pushing should ONLY be allowed by these people. This can be anyone*.
When setting a rule for a group
- any group can be set
- the group should automatically have this project shared with it (using the 'share with group' feature)
- should be communicated in the UI
When setting a rule for a person
- the person should be added to the project with master level access
- this should be communicated in the UI
old issue
Something like:
- allow wildcard for protected branches
- allow per-user permission to protected branches.
- some other feature So people who used protected branches feature in CE can continue use it in EE but with more flexibility.
Zendesk issue: https://gitlab.zendesk.com/agent/tickets/13653 and https://gitlab.zendesk.com/agent/tickets/19387
Gerrit allows per branch permissions. The customer uses this feature but would like to switch entirely to GitLab. They use a similar release branching strategy to GitLab. Each release has a release manager, or release team, that is responsible for that release branch going forward. Patches should only be approved by the release team so they want the ability to set these permissions on a branch directly.