Group level protected branches are applied not until another change is pushed
Summary
A group-level protected branch protections are not applied until something is pushed.
This happens in 2 situations.
- When a group-level protected branch is unprotected (removed) GitLab still applies the now-deleted-protections during the next push to the previously-protected-branch. Once GitLab receives a push to another branch, the previously-protected-branch behaves correctly.
- When a group-level protected branch is created GitLab does not mark existing-matching-branches as protected or prevent new-matching-branches from being pushed until GitLab receives a push to another branch.
I suspect there is some caching happening somewhere that needs to be invalidated.
Steps to reproduce
Removing a group-level protected branch
- Create project in a group
- Create group-level protected branch for
*-release
- Push branch named
v2-release
correctly fails - Delete group-level protected branch
- Push branch named
v2-release
that is protected incorrectly fails - Push an different branch which is not protected
- Retry step 5 now correctly succeeds
Creating a group-level protected branch
- Created project
- Push branch named
v2-release
correctly succeeds - Create group-level protected branch for
*-release
- Try to push change to v2-release incorrectly succeeds
- Try to push to v2-release correctly fails
Note: Step 5 here and Step 3 in the Removing a group-level protected branch appear to be the same action but behave differently.
Video
https://www.loom.com/share/f1f1403d35404622bf5eccbdc22d136b
Expected behaviour
Group-level protected branches should be applied as soon as they are created the same as project-level protected branches are.
Proposal
@nrosandich has suggested a cache invalidation outlined in this comment #411765 (comment 1393139023)
Edited by Joe Woodward