To prevent all users from being able to push a deployment to a production or acceptance environment, GitLab uses the concept of protected branches.
Protected branches
This example means:
- Everyone with at least Developer permissions can create and/or approve a merge request to the release branch.
- Only those with at least Maintainer permissions can create and/or approve a merge request to the master branch.
For more information on roles, see Manage access to GitLab projects.
Set permissions for an existing protected branch
- In GitLab, go to the repo you want to set branch permissions for
- Go to Settings -> Repository
- Expand the Protected Branches section
- Now you can:
- Select a different role tier for who is allowed to merge to a certain branch
- Select a different role tier for who is allowed to push to a certain branch
- Select whether the branch should be protected at all
- Select whether a code owner should approve any MR (note that if you were to use this, the code owners have to be configured separately)
Changing an existing branch to a protected branch
- In GitLab, go to the repo you want to create a protected branch for
- Go to Settings -> Repository
- Expand the Protected Branches section
- From the Branch field, select a branch
- From the Allowed to merge field, select a Role or Group or User (note: a Group or User could have lower permissions than you’d like) who should be able to merge a merge request into a branch. You’d want this to be as restrictive or more restrictive compared to the Allowed to push field
- From the Allowed to push field, select a Role or Group or User (note: a Group or User could have lower permissions than you’d like) who should be able to try to push a merge request to a branch
- Disable the Require approval from code owners checkbox (unless you know what you’re doing)
- Hit Protect