Branch protection rule: Require a pull request before merging - Allow specified actors to bypass required pull requests
We will see the Manage:Import group continue to make progress on the GitHub Importer. Specifically, they will be working on importing GitHub rules for protected branches such that they operate the same way in GitLab.
Release notes
When you import projects from GitHub to GitLab, supported GitHub branch protection rules are mapped to either GitLab branch protection rules or project-wide GitLab settings. When you set on GitHub "Require a pull request before merging" and select "Allow specified actors to bypass required pull requests" listing some users, and import your project to GitLab, we set "Allowed to push" branch protection rule to the same users on GitLab, if the group you are importing your project to has a Premium licence.
Current situation
With Require a pull request before merging (#370951 - closed) we have solved for the base case about the ability to push: when GitHub enforces "Require a pull request before merging" without selecting "Allow specified actors to bypass required pull requests" for any branch then Allowed to push
- No one
is set on GitLab.
With Allow force pushes - everyone (#370943 - closed) we solved the base case about force push - if one sets "Allow force push - Everyone" on GitHub, then on GitLab we enable "Allow force push", enabling all users with push access to also force push.
The other case about force pushing, namely when one sets on GitHub "Allow force push - Specify who can force push" cannot be mapped on GitLab: the corresponding setting on GitLab is a checkbox that enables/disables force push to all users with push permission, with no possibility to select specific users/groups. Therefore I closed Allow force pushes - Specify who can force push (#370945 - closed).
The case that remains open is when one sets on GitHub "Require a pull request before merging", and does select "Allow specified actors to bypass required pull requests" listing some users. In this case, we should set on GitLab "Allowed to push" to the same users. A complication arises because of the following two things:
- allowing to specify individual user that can push is a Premium feature, lower tier can only select groups or roles
- GitHub allows specifying Teams and Apps that can push too, beyond individual users. Since we do not currently import Teams or Apps from GitHub to GitLab, we should skip those.
Proposed solution
When one sets on GitHub "Require a pull request before merging", and does select "Allow specified actors to bypass required pull requests" listing some users, we should set on GitLab "Allowed to push" to the same users. These users have to be members of the imported project. As for now we don't add members to the project we are importing from GitHub, it is necessary to add these users to the parent group members before starting the import.
Doing this is possible only for groups with Premium license. That should be documented.
Technical details
Get branch protection rules from Github API. Look at required_pull_request_reviews
-> bypass_pull_request_allowances
-> users
. Find related users on GitLab and create push_access_level for each of them (use project.protected_branches.push_access_levels
association).