mirror of
https://github.com/go-gitea/gitea
synced 2024-10-19 20:10:10 +02:00
Make admins adhere to branch protection rules
This introduces a new flag `BlockAdminMergeOverride` on the branch protection rules that prevents admins/repo owners from bypassing branch protection rules and merging without approvals or failing status checks. Fixes #17131
This commit is contained in:
parent
afa8dd45af
commit
4595e4e28a
@ -63,6 +63,7 @@ type ProtectedBranch struct {
|
|||||||
RequireSignedCommits bool `xorm:"NOT NULL DEFAULT false"`
|
RequireSignedCommits bool `xorm:"NOT NULL DEFAULT false"`
|
||||||
ProtectedFilePatterns string `xorm:"TEXT"`
|
ProtectedFilePatterns string `xorm:"TEXT"`
|
||||||
UnprotectedFilePatterns string `xorm:"TEXT"`
|
UnprotectedFilePatterns string `xorm:"TEXT"`
|
||||||
|
BlockAdminMergeOverride bool `xorm:"NOT NULL DEFAULT false"`
|
||||||
|
|
||||||
CreatedUnix timeutil.TimeStamp `xorm:"created"`
|
CreatedUnix timeutil.TimeStamp `xorm:"created"`
|
||||||
UpdatedUnix timeutil.TimeStamp `xorm:"updated"`
|
UpdatedUnix timeutil.TimeStamp `xorm:"updated"`
|
||||||
|
@ -52,6 +52,7 @@ type BranchProtection struct {
|
|||||||
RequireSignedCommits bool `json:"require_signed_commits"`
|
RequireSignedCommits bool `json:"require_signed_commits"`
|
||||||
ProtectedFilePatterns string `json:"protected_file_patterns"`
|
ProtectedFilePatterns string `json:"protected_file_patterns"`
|
||||||
UnprotectedFilePatterns string `json:"unprotected_file_patterns"`
|
UnprotectedFilePatterns string `json:"unprotected_file_patterns"`
|
||||||
|
BlockAdminMergeOverride bool `json:"block_admin_merge_override"`
|
||||||
// swagger:strfmt date-time
|
// swagger:strfmt date-time
|
||||||
Created time.Time `json:"created_at"`
|
Created time.Time `json:"created_at"`
|
||||||
// swagger:strfmt date-time
|
// swagger:strfmt date-time
|
||||||
@ -90,6 +91,7 @@ type CreateBranchProtectionOption struct {
|
|||||||
RequireSignedCommits bool `json:"require_signed_commits"`
|
RequireSignedCommits bool `json:"require_signed_commits"`
|
||||||
ProtectedFilePatterns string `json:"protected_file_patterns"`
|
ProtectedFilePatterns string `json:"protected_file_patterns"`
|
||||||
UnprotectedFilePatterns string `json:"unprotected_file_patterns"`
|
UnprotectedFilePatterns string `json:"unprotected_file_patterns"`
|
||||||
|
BlockAdminMergeOverride bool `json:"block_admin_merge_override"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// EditBranchProtectionOption options for editing a branch protection
|
// EditBranchProtectionOption options for editing a branch protection
|
||||||
@ -121,4 +123,5 @@ type EditBranchProtectionOption struct {
|
|||||||
RequireSignedCommits *bool `json:"require_signed_commits"`
|
RequireSignedCommits *bool `json:"require_signed_commits"`
|
||||||
ProtectedFilePatterns *string `json:"protected_file_patterns"`
|
ProtectedFilePatterns *string `json:"protected_file_patterns"`
|
||||||
UnprotectedFilePatterns *string `json:"unprotected_file_patterns"`
|
UnprotectedFilePatterns *string `json:"unprotected_file_patterns"`
|
||||||
|
BlockAdminMergeOverride *bool `json:"block_admin_merge_override"`
|
||||||
}
|
}
|
||||||
|
@ -2461,6 +2461,8 @@ settings.block_on_official_review_requests = Block merge on official review requ
|
|||||||
settings.block_on_official_review_requests_desc = Merging will not be possible when it has official review requests, even if there are enough approvals.
|
settings.block_on_official_review_requests_desc = Merging will not be possible when it has official review requests, even if there are enough approvals.
|
||||||
settings.block_outdated_branch = Block merge if pull request is outdated
|
settings.block_outdated_branch = Block merge if pull request is outdated
|
||||||
settings.block_outdated_branch_desc = Merging will not be possible when head branch is behind base branch.
|
settings.block_outdated_branch_desc = Merging will not be possible when head branch is behind base branch.
|
||||||
|
settings.block_admin_merge_override=Administrators must follow branch protection rules
|
||||||
|
settings.block_admin_merge_override_desc=Administrators must follow branch protection rules and can not circumvent it.
|
||||||
settings.default_branch_desc = Select a default repository branch for pull requests and code commits:
|
settings.default_branch_desc = Select a default repository branch for pull requests and code commits:
|
||||||
settings.merge_style_desc = Merge Styles
|
settings.merge_style_desc = Merge Styles
|
||||||
settings.default_merge_style_desc = Default Merge Style
|
settings.default_merge_style_desc = Default Merge Style
|
||||||
|
@ -1943,6 +1943,7 @@ func ViewIssue(ctx *context.Context) {
|
|||||||
ctx.Data["IsBlockedByChangedProtectedFiles"] = len(pull.ChangedProtectedFiles) != 0
|
ctx.Data["IsBlockedByChangedProtectedFiles"] = len(pull.ChangedProtectedFiles) != 0
|
||||||
ctx.Data["ChangedProtectedFilesNum"] = len(pull.ChangedProtectedFiles)
|
ctx.Data["ChangedProtectedFilesNum"] = len(pull.ChangedProtectedFiles)
|
||||||
ctx.Data["RequireApprovalsWhitelist"] = pb.EnableApprovalsWhitelist
|
ctx.Data["RequireApprovalsWhitelist"] = pb.EnableApprovalsWhitelist
|
||||||
|
ctx.Data["BlockAdminMergeOverride"] = pb.BlockAdminMergeOverride
|
||||||
}
|
}
|
||||||
ctx.Data["WillSign"] = false
|
ctx.Data["WillSign"] = false
|
||||||
if ctx.Doer != nil {
|
if ctx.Doer != nil {
|
||||||
|
@ -256,6 +256,7 @@ func SettingsProtectedBranchPost(ctx *context.Context) {
|
|||||||
protectBranch.ProtectedFilePatterns = f.ProtectedFilePatterns
|
protectBranch.ProtectedFilePatterns = f.ProtectedFilePatterns
|
||||||
protectBranch.UnprotectedFilePatterns = f.UnprotectedFilePatterns
|
protectBranch.UnprotectedFilePatterns = f.UnprotectedFilePatterns
|
||||||
protectBranch.BlockOnOutdatedBranch = f.BlockOnOutdatedBranch
|
protectBranch.BlockOnOutdatedBranch = f.BlockOnOutdatedBranch
|
||||||
|
protectBranch.BlockAdminMergeOverride = f.BlockAdminMergeOverride
|
||||||
|
|
||||||
err = git_model.UpdateProtectBranch(ctx, ctx.Repo.Repository, protectBranch, git_model.WhitelistOptions{
|
err = git_model.UpdateProtectBranch(ctx, ctx.Repo.Repository, protectBranch, git_model.WhitelistOptions{
|
||||||
UserIDs: whitelistUsers,
|
UserIDs: whitelistUsers,
|
||||||
|
@ -219,6 +219,7 @@ type ProtectBranchForm struct {
|
|||||||
RequireSignedCommits bool
|
RequireSignedCommits bool
|
||||||
ProtectedFilePatterns string
|
ProtectedFilePatterns string
|
||||||
UnprotectedFilePatterns string
|
UnprotectedFilePatterns string
|
||||||
|
BlockAdminMergeOverride bool
|
||||||
}
|
}
|
||||||
|
|
||||||
// Validate validates the fields
|
// Validate validates the fields
|
||||||
|
@ -164,7 +164,7 @@
|
|||||||
{{$notAllOverridableChecksOk := or .IsBlockedByApprovals .IsBlockedByRejection .IsBlockedByOfficialReviewRequests .IsBlockedByOutdatedBranch .IsBlockedByChangedProtectedFiles (and .EnableStatusCheck (not .RequiredStatusCheckState.IsSuccess))}}
|
{{$notAllOverridableChecksOk := or .IsBlockedByApprovals .IsBlockedByRejection .IsBlockedByOfficialReviewRequests .IsBlockedByOutdatedBranch .IsBlockedByChangedProtectedFiles (and .EnableStatusCheck (not .RequiredStatusCheckState.IsSuccess))}}
|
||||||
|
|
||||||
{{/* admin can merge without checks, writer can merge when checks succeed */}}
|
{{/* admin can merge without checks, writer can merge when checks succeed */}}
|
||||||
{{$canMergeNow := and (or $.IsRepoAdmin (not $notAllOverridableChecksOk)) (or (not .AllowMerge) (not .RequireSigned) .WillSign)}}
|
{{$canMergeNow := and (or (and (not $.BlockAdminMergeOverride) $.IsRepoAdmin) (not $notAllOverridableChecksOk)) (or (not .AllowMerge) (not .RequireSigned) .WillSign)}}
|
||||||
{{/* admin and writer both can make an auto merge schedule */}}
|
{{/* admin and writer both can make an auto merge schedule */}}
|
||||||
|
|
||||||
{{if $canMergeNow}}
|
{{if $canMergeNow}}
|
||||||
|
@ -323,6 +323,13 @@
|
|||||||
<p class="help">{{ctx.Locale.Tr "repo.settings.block_outdated_branch_desc"}}</p>
|
<p class="help">{{ctx.Locale.Tr "repo.settings.block_outdated_branch_desc"}}</p>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
|
<div class="field">
|
||||||
|
<div class="ui checkbox">
|
||||||
|
<input name="block_admin_merge_override" type="checkbox" {{if .Rule.BlockAdminMergeOverride}}checked{{end}}>
|
||||||
|
<label>{{ctx.Locale.Tr "repo.settings.block_admin_merge_override"}}</label>
|
||||||
|
<p class="help">{{ctx.Locale.Tr "repo.settings.block_admin_merge_override_desc"}}</p>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
<div class="divider"></div>
|
<div class="divider"></div>
|
||||||
|
|
||||||
<div class="field">
|
<div class="field">
|
||||||
|
12
templates/swagger/v1_json.tmpl
generated
12
templates/swagger/v1_json.tmpl
generated
@ -18747,6 +18747,10 @@
|
|||||||
},
|
},
|
||||||
"x-go-name": "ApprovalsWhitelistUsernames"
|
"x-go-name": "ApprovalsWhitelistUsernames"
|
||||||
},
|
},
|
||||||
|
"block_admin_merge_override": {
|
||||||
|
"type": "boolean",
|
||||||
|
"x-go-name": "BlockAdminMergeOverride"
|
||||||
|
},
|
||||||
"block_on_official_review_requests": {
|
"block_on_official_review_requests": {
|
||||||
"type": "boolean",
|
"type": "boolean",
|
||||||
"x-go-name": "BlockOnOfficialReviewRequests"
|
"x-go-name": "BlockOnOfficialReviewRequests"
|
||||||
@ -19442,6 +19446,10 @@
|
|||||||
},
|
},
|
||||||
"x-go-name": "ApprovalsWhitelistUsernames"
|
"x-go-name": "ApprovalsWhitelistUsernames"
|
||||||
},
|
},
|
||||||
|
"block_admin_merge_override": {
|
||||||
|
"type": "boolean",
|
||||||
|
"x-go-name": "BlockAdminMergeOverride"
|
||||||
|
},
|
||||||
"block_on_official_review_requests": {
|
"block_on_official_review_requests": {
|
||||||
"type": "boolean",
|
"type": "boolean",
|
||||||
"x-go-name": "BlockOnOfficialReviewRequests"
|
"x-go-name": "BlockOnOfficialReviewRequests"
|
||||||
@ -20661,6 +20669,10 @@
|
|||||||
},
|
},
|
||||||
"x-go-name": "ApprovalsWhitelistUsernames"
|
"x-go-name": "ApprovalsWhitelistUsernames"
|
||||||
},
|
},
|
||||||
|
"block_admin_merge_override": {
|
||||||
|
"type": "boolean",
|
||||||
|
"x-go-name": "BlockAdminMergeOverride"
|
||||||
|
},
|
||||||
"block_on_official_review_requests": {
|
"block_on_official_review_requests": {
|
||||||
"type": "boolean",
|
"type": "boolean",
|
||||||
"x-go-name": "BlockOnOfficialReviewRequests"
|
"x-go-name": "BlockOnOfficialReviewRequests"
|
||||||
|
Loading…
Reference in New Issue
Block a user