- Who can modify a protected branch
- Configure a protected branch
- Configure multiple protected branches by using a wildcard
- Create a protected branch
- Require everyone to submit merge requests for a protected branch
- Allow everyone to push directly to a protected branch
- Allow deploy keys to push to a protected branch
- Allow force push on a protected branch
- Require Code Owner approval on a protected branch
- Run pipelines on protected branches
- Delete a protected branch
- Troubleshooting
Protected branches
In WVS, permissions are fundamentally defined around the idea of having read or write permission to the repository and branches. To impose further restrictions on certain branches, they can be protected.
The default branch for your repository is protected by default.
Who can modify a protected branch
When a branch is protected, the default behavior enforces these restrictions on the branch.
Action | Who can do it |
---|---|
Protect a branch | At least the Maintainer role. |
Push to the branch | Administrators and anyone with Allowed permission. (1) |
Force push to the branch | No one. |
Delete the branch | No one. |
- Users with the Developer role can create a project in a group, but might not be allowed to initially push to the default branch.
Configure a protected branch
Prerequisite:
- You must have at least the Maintainer role.
To protect a branch:
- Go to your project and select Project Settings > Version Control.
- Expand Protected branches.
- From the Branch dropdown list, select the branch you want to protect.
- From the Allowed to merge list, select a role, or group that can merge into this branch. In WVS, you can also add users.
- From the Allowed to push list, select a role, group, or user that can push to this branch. In WVS, you can also add users.
- Select Protect.
The protected branch displays in the list of protected branches.
Configure multiple protected branches by using a wildcard
Prerequisite:
- You must have at least the Maintainer role.
To protect multiple branches at the same time:
- Go to your project and select Project Settings > Version Control.
- Expand Protected branches.
-
From the Branch dropdown list, type the branch name and a wildcard. For example:
Wildcard protected branch Matching branches *-stable
production-stable
,staging-stable
production/*
production/app-server
,production/load-balancer
*WVS*
WVS
,WVS/staging
,master/WVS/production
- From the Allowed to merge list, select a role, or group that can merge into this branch.
- From the Allowed to push list, select a role, group, or user that can push to this branch.
- Select Protect.
The protected branch displays in the list of protected branches.
Create a protected branch
Users with at least the Developer role can create a protected branch.
Prerequisites:
- Allowed to push is set to No one
- Allowed to merge is set to Developers.
You can create a protected branch by using the UI or API only. This prevents you from accidentally creating a branch from the command line or from a Git client application.
To create a new branch through the user interface:
- Go to Version Control > Branches.
- Select New branch.
- Fill in the branch name and select an existing branch, tag, or commit to base the new branch on. Only existing protected branches and commits that are already in protected branches are accepted.
Require everyone to submit merge requests for a protected branch
You can force everyone to submit a merge request, rather than allowing them to check in directly to a protected branch. This is compatible with workflows like the WVS workflow.
- Go to your project and select Project Settings > Version Control.
- Expand Protected branches.
- From the Branch dropdown list, select the branch you want to protect.
- From the Allowed to merge list, select Developers + Maintainers.
- From the Allowed to push list, select No one.
- Select Protect.
Allow everyone to push directly to a protected branch
You can allow everyone with write access to push to the protected branch.
- Go to your project and select Project Settings > Version Control.
- Expand Protected branches.
- From the Branch dropdown list, select the branch you want to protect.
- From the Allowed to push list, select Developers + Maintainers.
- Select Protect.
Allow deploy keys to push to a protected branch
You can permit the owner of a deploy key to push to a protected branch. The deploy key works, even if the user isn’t a member of the related project. However, the owner of the deploy key must have at least read access to the project.
Prerequisites:
- The deploy key must be enabled for your project. A project deploy key is enabled by default when it is created. However, a public deploy key must be granted access to the project.
- The deploy key must have write access to your project repository.
To allow a deploy key to push to a protected branch:
- Go to your project and select Project Settings > Version Control.
- Expand Protected branches.
- From the Branch dropdown list, select the branch you want to protect.
- From the Allowed to push list, select the deploy key.
- Select Protect.
Deploy keys are not available in the Allowed to merge dropdown list.
Allow force push on a protected branch
You can allow force pushes to protected branches.
To protect a new branch and enable force push:
- Go to your project and select Project Settings > Version Control.
- Expand Protected branches.
- From the Branch dropdown list, select the branch you want to protect.
- From the Allowed to push and Allowed to merge lists, select the settings you want.
- To allow all users with push access to force push, turn on the Allowed to force push toggle.
- To reject code pushes that change files listed in the
CODEOWNERS
file, turn on the Require approval from code owners toggle. - Select Protect.
To enable force pushes on branches that are already protected:
- Go to your project and select Project Settings > Version Control.
- Expand Protected branches.
- In the list of protected branches, next to the branch, turn on the Allowed to force push toggle.
Members who can push to this branch can now also force push.
Require Code Owner approval on a protected branch
For a protected branch, you can require at least one approval by a Code Owner.
To protect a new branch and enable Code Owner’s approval:
- Go to your project and select Project Settings > Version Control.
- Expand Protected branches.
- From the Branch dropdown list, select the branch you want to protect.
- From the Allowed to push and Allowed to merge lists, select the settings you want.
- Turn on the Require approval from code owners toggle.
- Select Protect.
To enable Code Owner’s approval on branches that are already protected:
- Go to your project and select Project Settings > Version Control.
- Expand Protected branches.
- In the list of protected branches, next to the branch, turn on the Code owner approval toggle.
When enabled, all merge requests for these branches require approval by a Code Owner per matched rule before they can be merged. Additionally, direct pushes to the protected branch are denied if a rule is matched.
Any user who is not specified in the CODEOWNERS
file cannot push
changes for the specified files or paths, unless they are specifically allowed to.
You don’t have to restrict developers from pushing directly to the
protected branch. Instead, you can restrict pushing to certain files where a review by
Code Owners is required.
In WVS, users and groups who are allowed to push to protected branches do not need a merge request to merge their feature branches. Thus, they can skip merge request approval rules, Code Owners included.
Run pipelines on protected branches
The permission to merge or push to protected branches defines whether or not a user can run CI/CD pipelines and execute actions on jobs.
See Security on protected branches for details about the pipelines security model.
Delete a protected branch
Users with at least the Maintainer role can manually delete protected branches by using the WVS web app:
- Go to Version Control > Branches.
- Next to the branch you want to delete, select Delete ().
- On the confirmation dialog, type the branch name and select Delete protected branch.
Protected branches can only be deleted by using WVS either from the UI or API. This prevents accidentally deleting a branch through local Git commands or third-party Git clients.
Troubleshooting
For additional help, please reach out to us on our Discord or by Email.