Developer cannot push to projects they create in groups
When a group allows developers to create new projects, the developer is unable to push any code without the
Maintainer permission, but it is not desirable for a developer to receive elevated permissions. The
master branch is protected by default when creating a new project, which prevents the developer from pushing to that branch without the involvement of a
Maintainer. This workflow is disruptive and does not provide the expected experience for users.
Steps to reproduce
- In a group where you only have developer permissions, create a project
- Check the members page to see your permissions and try to push to the
What is the current bug behavior?
I only have Developer permissions on the project I created and cannot push to the
master (default protected) branch.
What is the expected correct behavior?
Developer, I should be able to push to the project I've just created without intervention from a
Group Owner, I want
Developers to be able to push code to new projects they create and allow
Maintainers to protect the branch after the initial code has been pushed.
default branch protection settings to the group-level to allow flexibility in defining expected behaviors for
project creation and
|Instance-level setting for
The possible configurations would be possible in this move:
|Default branch protection||Default project creation protection||Create Projects||Push new commits||Benefit|
|Fully protected||Maintainers||Maintainers||Maintainers||Maintainers retain strict control of the group and must be involved with project initialization.|
|Partially protected||Maintainers||Maintainers||Maintainers + Developers||Maintainers control project creation to limit volume, but Developers can still push new commits to these new projects.|
|Partially protected||Maintainers + Developers||Maintainers + Developers||Maintainers + Developers||Both Maintainers and Developers can create projects and push new commits.|
Maintainers can still visit each project created by a
Developer to modify the default protected branch setting Allowed to push from
Maintainers + Developers ->
Maintainers after a project has been initialized.
These settings could allow developers to create projects and initialize them without involving a maintainer.
This provides some flexibility to group owners to alleviate friction for
More work is required to address the multiple use cases represented in this issue.
Original Proposal1. A new setting on the project creation screen to (optionally) protect the `master` branch. (default: checked/enabled) - **Figure 1** 1. If enabled, only `Maintainers` can push code and workflows remain unchanged 1. If disabled, the default protected branch is created with the settings in **Figure 2**. Both `Maintainers` and `Developers` can push code to `master` for this project only. 1. Once a project has been setup, an `Owner` or `Maintainer` can modify the project settings to `Protect` the master branch by changing the protected branch settings to `Maintainer` only. - **Figure 3**
Some thought will be required on managing the compliance aspect of this workflow. While it is desirable to enable developers to push to the projects they've created, it may be necessary to at least notify
Administrators when an unprotected branch is created.
Additionally, there may be a need to implement a group-level setting (or another mechanism) to "require all new projects protect master branch" to provide controls for organizations to maintain compliance status, which would override the solution proposed here.
This could manifest elsewhere as a report showing a list of unprotected branches, but this is likely a separate issue for consideration.
Output of checks
This bug happens on GitLab.com