Prevent default branch from being changed if setting is present

Why are we doing this work

  • if the default branch is included in an enabled policy with block_unprotecting_branches: true, the branch should not be able to be removed as the default branch

Relevant links

image

Non-functional requirements

  • Documentation:
  • Feature flag:
  • Performance:
  • Testing:

Implementation plan

  • backend add validation for if a default branch can/cannot be changed
  • frontend disable the save button at `/-/settings/repository#default-branch

Verification steps

  1. Upload a GitLab Ultimate license
  2. Enable the feature flags
echo "Feature.enable(:scan_result_policies_block_unprotecting_branches)" | rails c
  1. Go to Project => Settings => Repository => Branch defaults => Make main the default branch
  2. Go to Secure -> Policies -> New policy -> Scan Result Policy
  3. Go to yaml mode
  4. Use this policy:
type: scan_result_policy
name: Require approval for vulnerabilities
description: ''
enabled: true
rules:
  - type: scan_finding
    scanners: []
    vulnerabilities_allowed: 0
    severity_levels: []
    vulnerability_states: []
    branch_type: protected
actions:
  - type: require_approval
    approvals_required: 1
    role_approvers:
      - maintainer
      - developer
approval_settings:
  block_unprotecting_branches: true
  1. Save the policy
  2. Go the Project => Settings => Repository => Branch defaults
  3. Verify the default branch cannot be changed and a popover shows up over the button
Edited by Alexander Turinske