Protected Branch name precedence over wildcard
Proposal
The specific name should take precdence over the wildcard match.
Background
These other issues also suggest a similar solution:
- Override permissions for protected branches wit... (#28048)
- Wildcard branch protection rules should not app... (#26724)
- Protected Branch name precedence over wildcard (#358910)
- Protected branches: match the most specific pat... (#39115)
A previous attempt to resolve overlapping protected branches by looking at the rules needed to be reverted and this comment suggests looking at names rather than the actual rules to determine which protected branch settings to use #285560 (comment 512144044):
If we have two rules and both match a ref, we need to be able to say "we're going to use this one instead of this other one, because it's a better match".
Given the wildcards we permit, it might be that "longest-pattern" is "most-specific", but I've not investigated in any depth.
How to determine which rule is best match for a branch?
Keep in mind with protected branch rules there are group-level rules that would be cascading down to projects &8679.
From the order of least to most specific:
- Wildcard matches
- Group-level rules
- Project-level rules
- Name branches
- Group-level rules
- Project-level rules
This pattern of presenting rules like this can be thought of as a funnel with the widest least specific rules at the top and getting narrower and more specific as you go down the list. Examples of this in use is with this comment !52319 (comment 512636614).
To help visualize the precedence order, we would present the protected branches alphabetically in order of precedence order from least to most specific. With 3 rules feat/1234-new
, *
, and feat/*
it would be presented like:
-
*
(least specific) feat/*
-
feat/1234-new
(most specific)
Handling duplicates
A duplicate would be considered as having the exact same structure. feat/*
& feat/*
would be a duplicate. For example *
& feat/*
would have an overlap but are not duplicates.
Feedback required: Similar rule scenario
Suppose you had two rules A) f*ture
and B) featu*e
and you wanted to match branch feature
, which rule would match A or B?
Looking at the rules:
-
A
would match names like "future", "feature", "feature/123-new-fixture". -
B
would match names like "feature", "feature/123-new-fixture".
Determining the rules to resolve this scenario would apply to resolve similar real scenarios like this !52319 (comment 510049751) that have matching patterns of *
, v*.*.*
, v*.*.*.*
These rules do not have the exact same structure so they would co-exist.
When rules A and B are sorted alphabetically (A-Z), the result would be:
-
f*ture
(A) -
featu*e
(B)
This means rule B
would match for branch feature
.
It would match because both are wildcards and when ordered alphabetically B
is the last rule to match.
Original proposal
While using gitlab protected branches with wildcards, the wildcard branch name takes precedence over a fully named branch rule.
e.g. in this demo repo: https://gitlab.com/cy4n/protected-branch-demo
a) i am allowed to push into branch_1, although "no one" is allowed to push.
b) i am not allowed to merge into branch_1 without codeowner approval (both points showing that the wildcard branch takes precedence)
Expected Behaviour:
the more explicit rule for branch_1 should
a) forbid me to push as anyone
b) allow me to merge (as a maintainer) without codeowner approval