gitlabform icon indicating copy to clipboard operation
gitlabform copied to clipboard
verified publisher icon gitlabform

Using the premium only branch protection rules causes unnecessary updating

Open andrewjw opened this issue 10 months ago • 5 comments

If you use the premium only branch protection rules (allowed_to_push, allowed_to_merge) then the diffing doesn't work and it unprotects and then reprotects the branches every run. This causes extra api load, and spams the project's audit logs.

Example config

    main:
      protected: true
      allowed_to_push:
        - user: username
      allowed_to_merge:
        - access_level: developer
      code_owner_approval_required: true

This gets turned into the following Python object...

{'protected': True, 'allowed_to_push': [{'user_id': 1767}], 'allowed_to_merge': [{'access_level': 30}], 'code_owner_approval_required': True}

The data returned from the GitLab API is:

{'project_id': '20306', 'id': 28843761, 'name': 'master', 'push_access_levels': [{'id': 28960972, 'access_level': 40, 'access_level_description': 'username', 'deploy_key_id': None, 'user_id': 1767, 'group_id': None}], 'merge_access_levels': [{'id': 28981208, 'access_level': 30, 'access_level_description': 'Developers + Maintainers', 'user_id': None, 'group_id': None}], 'allow_force_push': False, 'unprotect_access_levels': [{'id': 26711591, 'access_level': 40, 'access_level_description': 'Maintainers', 'user_id': None, 'group_id': None}], 'code_owner_approval_required': True, 'inherited': False}

and since they don't match, the branch is unprotected and reprotected.

GitLabForm version

GitLabForm version: 4.2.5

GitLab version

17.11.2 (self managed, premium tier)

andrewjw avatar May 30 '25 15:05 andrewjw

Hi @amimas I can see you left 👀 for the initial comment.

Have you got a chance to look at the issue? Based on the description, it causes the same issues for us to recreate (remove and create protected branches again) for ~ 700 repos on each gitlabform run.

Happy to debug more and provide logs if you need!

hiaik avatar Jun 05 '25 05:06 hiaik

@amimas @andrewjw It seems https://github.com/gitlabform/gitlabform/pull/996 might solve the issue reported in this ticket based on

In this PR I try to implement diff detection, so that GitLabForm updates branch protection only when needed, and changes are applied only to rules/settings that are different from those set in GitLabForm config.

hiaik avatar Jun 11 '25 05:06 hiaik

Thanks @hiaik , I agree, assuming the diffing supports the premium features it will fix this issue too. I'd be happy to close it in favour of #996, but I'm also ok with keeping it open so I can confirm it is fixed with that change if people prefer.

andrewjw avatar Jun 11 '25 12:06 andrewjw

I suggest we keep it open until the PR has been merged.

amimas avatar Jul 26 '25 16:07 amimas

Should be resolved by: https://github.com/gitlabform/gitlabform/pull/1070

TimKnight-DWP avatar Aug 05 '25 14:08 TimKnight-DWP