Gerrit - how to disallow direct push to "master" but allow to other branches

Asked 26/4, 2013 at 13:59 Answered 27/1, 2021 at 9:28

git gerrit

I want to set up configuration described below:

Registered user can not push his changes directly to master. He has to push these changes for review:

git push origin master - it should be rejected by Gerrit (origin = Gerrit)

git push origin HEAD:refs/for/master - it should be allowed by Gerrit
Registered user can create a new branch. This branch will be treated as a backup and a way of cooperation between two or more developers so it shouldn't be reviewed.

git push origin xyz_abc - it should be allowed by Gerrit

How should I configure Gerrit to achieve such functionality ?

Jaehne answered 26/4, 2013 at 13:59 Comment(0)

There are no good instructions anywhere, so thought I'd document the steps here.

1. Navigate to your project's Access page

Projects > List > your_project > Access

2. Edit Access

Click the Edit button

3. Add Reference to refs/heads/*

This is the reference for all direct pushes. We're going to configure who can do what to this path.

Click "Add Reference" and type in 'refs/heads/*' (no quotes)

4. Deny the "Push" permission

The Push permission is the one which controls who can make direct pushes. Merge pushes and pushes to Gerrit will still be allowed (see notes below).

Click "Add Permission" and select "Push".
Select the user group you want to deny push from (you can type in "Registered Users" if you want to block everyone)
Choose "DENY" from the dropdown that appears once you've added your user group

5. Save Changes

And you're done. The finished config should look something like this:

Note

If this doesn't work, make sure you have the Push permission set to ALLOW on refs/for/refs/* - this is the permission which allows pushes to Gerrit.

Calvillo answered 23/6, 2016 at 10:30 Comment(3)

I wonder how this solves the "but allow to other branches". This will prevent pushes to ALL branches. – Autostability 29/9, 2016 at 9:45

@Autostability if you want to apply the allow for master, then put allow in above image. then create a new permission specifically for refs/heads/master (and put deny instead of allow under push) – Nissa 4/10, 2016 at 14:53

@Conan "Deny" will not work here. One should use "Block" for 'refs/heads/master' instead to override 'refs/heads/*' settings for this particular branch. – Gretel 7/12, 2016 at 16:56

You need to change the Access settings of your project and there you need to make use of the Exclusive flag to override the Deny settings for refs/heads/master. With a configuration like this you should be able to achieve this "allow to push everywhere except to the master branch".

Source: https://gerrit-review.googlesource.com/Documentation/access-control.html#_project_access_control_lists

Asset answered 27/1, 2021 at 9:28 Comment(0)

AFAIK you can set up permissions for every repo/project in gerrit. For example who can push / who can force push / who can approve your changes and all that. Check below link if it is usefull :

https://git.eclipse.org/r/Documentation/access-control.html

Roup answered 27/4, 2013 at 14:7 Comment(1)

just linking to the documentation is not very helpful to answer such specific question – Sather 21/7, 2015 at 9:6

If there are many branches you can use namespaces (e.g. dev/*) for branches and set access control for these namespaces.

Burble answered 14/8, 2013 at 11:42 Comment(0)

With guidance from mmelnik answer to this thread.

When the references overlap, only one of them works at a time (more generic one).

So, you should not set deny permission for master and allow all other branches, instead you can use a prefix for your development branches and use the below reference to allow the push to them:

^refs/heads/YourPrefix.*

Note: Preserve the ^ & * at the start and end for the regex.

Samul answered 11/8, 2020 at 21:38 Comment(0)

Recommended topics

Hot tags