Draft: Add "Instance Admin" opt to Protected Branch/Tag
What does this MR do and why?
Related to #12776 (closed)
We are adding a new "Instance Admins" option to the Protected Branch "allowed to push" and "allowed to merge" dropdowns, and the Protected Tag "allowed to create" dropdown.
This changes how the other options function. Previously admins could always perform these actions regardless of the configurations. Now selecting "No one" will mean no one will be able to perform the action, including admins. Similarly, selecting "Developers + Maintainers" or "Maintainers" will exclude the admins (unless they have a developer or maintainer role assigned to them).
Screenshots or screen recordings
How to set up and validate locally
- Navigate to the Project > Settings > Respository > Protected Branch section
-
Create a protected branch with no one assigned (first merge, then push and merge) -
Test that you cannot merge into that branch even when admin -
Test that you cannot push into that branch even when admin -
Modify the protected branch and assign instance admins -
Test that you cannot merge into that branch when non-admin -
Test that you cannot push into that branch when non-admin -
Test that you can merge into that branch when admin -
Test that you can push into that branch when admin - Navigate to the Project > Settings > Repository > Protected Tag section
-
Create a protected tag with no one can create -
Test you cannot create a tag even when admin -
Assign instance admins to the protected tag -
Test you can create a tag while admin
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.