Skip to content

Add "Protect against push after initial push" for Default branch group

Oskar Baumann requested to merge panwauu/gitlab:dev-can-merge-and-initial-push into master

What does this MR do and why?

In !118729 (merged) the option "Fully protected after initial push" was introduced to allow developers to create and initialize repos and afterwards have a fully protected repo. This feature is also needed for "Protected against pushes". This helps to avoid that "Developers" of a group can create a repo but never push any code to it.

In lib/gitlab/access.rb I created a new PROTECTION_DEV_CAN_MERGE_INITIAL_PUSH flag and elsewhere copied the procedure from !118729 (merged).

I also noticed some irregularities:

  • I see multiple confusions with the force push. Protection against pushed and fully protected independently of the initial push disallow force push.
  • Some tests test behavior that is different from the real world behavior and passed so maybe these are misleading. I started some threads with this stuff

Closes #426343; Also related to #426343, #31602 (closed), #415846 (maybe), #374003 (closed)

How to set up and validate locally (copied and adapted from !118729 (merged))

  1. Pick a group, we will be using Commit451 as an example
  2. Open group settings -> repository (/groups/Commit451/-/settings/repository)
  3. Set default branch protection level to Protected against pushes after initial push and save it
  4. Ensure that group allows Developer to create new projects
  5. Pick or create user, which has is not and admin and has Developer permission to this group.
  6. As this user (either by logging in or using impersonation) create new empty project. Ensure that initialize with README is unchecked - you need project with no branches
  7. As this user clone repository, create first commit & perform push to this repository. It should complete ok
  8. Make second commit & push. It should fail, because repository is fully protected now
  9. Create a merge request and merge it from the UI as this should be allowed

I was not able to test the project locally myself. Maybe a more experienced dev can help. I also never touched the codebase or ruby itself, so have mercy please

Edited by Oskar Baumann

Merge request reports