Deploy key can push to protected branches

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

Summary

Deploy keys with 'write' are able to push to a protected branch that is set to allow 'No one' to push.

Steps to reproduce

Create new Project.

Create new Branch
Add Branch to Protected Branches
- Allowed to Merge Master, Allow to Push 'No One'

Add Deploy Key

Enable Write access allowed

With deploy key attempt to push to project

What is the expected correct behavior?

Reject push on protected branch:

To git@gitlab:group/project.git
 ! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to 'git@gigitlab:group/project.git'

Relevant logs and/or screenshots

Reproduced on 10.4.3

Internal Zendesk: https://gitlab.zendesk.com/agent/tickets/89772

Edited Aug 28, 2025 by 🤖 GitLab Bot 🤖