## Context | | | |---|---| | **Phase** | 6 of 6 | | **Parallel with** | — | | **Blocked by** | https://gitlab.com/gitlab-org/gitlab/-/work_items/594887+ <br> https://gitlab.com/gitlab-org/gitlab/-/work_items/594888+ <br> https://gitlab.com/gitlab-org/gitlab/-/work_items/594889+ <br> https://gitlab.com/gitlab-org/gitlab/-/work_items/594890+ | | **Unblocks** | — | ## Summary Roll out the `custom_roles_for_protected_branches` feature flag on GitLab.com, monitor for issues, then remove all feature flag guards and delete the flag definition file. ## Background All functionality in this epic is gated behind the `custom_roles_for_protected_branches` feature flag (created in Issue 2). Once all feature issues are merged and the feature has been validated, this issue covers the staged rollout and eventual permanent enablement. ## Rollout steps ### 1. Enable on staging / canary ``` /chatops run feature set custom_roles_for_protected_branches true --staging ``` Verify: - Custom roles appear in protected branch dropdowns on staging - Access checks grant/deny correctly - No regressions on standard role-based protected branches - No N+1 query alerts ### 2. Gradual rollout on production (percentage-based) ``` /chatops run feature set custom_roles_for_protected_branches 10 /chatops run feature set custom_roles_for_protected_branches 50 /chatops run feature set custom_roles_for_protected_branches 100 ``` Monitor error rates and performance metrics at each stage. ### 3. Full enablement ``` /chatops run feature set custom_roles_for_protected_branches true ``` ### 4. Flag removal (separate MR after bake time) Once fully enabled with no issues for at least one milestone: - Remove all `Feature.enabled?(:custom_roles_for_protected_branches, ...)` guards from Ruby code - Remove any frontend feature flag checks - Delete `ee/config/feature_flags/wip/custom_roles_for_protected_branches.yml` - Update `default_enabled: true` in the YAML is NOT needed (the file is deleted entirely) Use `grep -r "custom_roles_for_protected_branches"` to find all references to remove. ## Verification checklist - [ ] Custom roles appear in protected branch dropdowns at project level - [ ] Custom roles appear in protected branch dropdowns at group level - [ ] Users with the assigned custom role can push/merge as configured - [ ] Users with a different custom role (same base level) are correctly denied - [ ] Users with no custom role but same base access level are correctly denied - [ ] Group-level custom role rules cascade to all projects in the group - [ ] REST API correctly accepts and returns `member_role_id` - [ ] GraphQL mutation correctly accepts `memberRoleId` - [ ] No performance regressions on protected branch access checks - [ ] Documentation is complete ## Dependencies All other issues in this epic must be merged and verified before rollout begins. ## Labels