Protect a Branch

By default, any project member can rename or delete a repository branch, and push or merge another branch into it. The project owner can protect a branch from these actions by setting restrictions on the branch:

  1. In the left navigator, click Project Administration Project Administration.
  2. Select the Branch Protection tile.
  3. Click in the search repository field and select the Git repository that has the branch you want to protect.
    All rules protecting the branches in that repository are displayed. To filter the list, type a full or partial rule name. Select a rule to display its details in the right-hand pane.
  4. Select the Branch name radio button, click in the search field below it, and select the branch.

    If no rules have been associated with the branch, proceed to the next step.

    If there any rules already associated with the branch, those will be displayed. If you select a rule, its details will be displayed in the right-hand pane.

  5. Click +Rule to create a new rule for the repository and associate it with a branch or multiple branches that match a defined pattern.
    The New Protection dialog is displayed.
    1. Click in the search repositories field and select the repository that you want to define the rule for.
    2. Click in the Provide glob pattern or select branch field.
      Select one of the displayed branches to associate the new rule with a specific branch or add an expression using wildcards to associate the rule with branches that match the glob pattern you provide. See Glob Pattern Reference for Matching Branch, Job, and Pipeline Names.
    3. Set the protection level (Open, Requires Review, Private, Frozen) and corresponding options.

      Here are the branch protection actions you can define:

      Action How To
      Require review and restrict merge actions Select the Requires Review option and configure the review options. See Set Review and Merge Restrictions on a Repository Branch.
      Restrict push actions to project owners and branch owners Select the Private option, as shown:Description of branch_protection.png follows
      Description of the illustration branch_protection.png

      To define branch owners, click Owners and select the user(s) and/or group(s). You can select multiple users (or groups).

      To push commits to a private branch from your computer, you must always use SSH. In addition, to run a build of job that uses a private branch, you must configure the job to use SSH.

      Lock a branch Select the Frozen option. No changes are allowed to a locked branch by any user.
      Prevent forced pushes to the branch Select the Do not allow forced pushes check box. The check box isn't available when the Requires Review or the Frozen option is selected as force push aren't allowed on a review or a frozen branch.
      Prevent renaming and deleting the branch Select the Do not allow renaming and deleting branch check box. The branch can be renamed or deleted after you deselect the check box. The check box isn't available when the Requires Review or the Frozen option is selected.

      Tip:

      On the Refs page, you can also click the Open, Private, Requires Review, or the Frozen branch label to edit its protection settings.
    4. Click Create.
The Activities stream on the Project Home page will report that the branch protection settings were modified.

Glob Pattern Reference for Matching Branch, Job, and Pipeline Names

Glob syntax can be used to specify pattern-matching behavior. A glob pattern is specified as a string and is matched against a branch, job, or pipeline name. These wildcard characters can be used in glob patterns:

Wildcard Description
* Matches zero or more characters of a name without crossing directory boundaries.
** Matches zero or more characters of a name crossing directory boundaries.
? Matches exactly one character.
[] A bracket expression that matches a single character out of a set of characters or, when the hyphen character is used, a range of characters.

For example, [abc] matches "a", "b", or "c". [a-z] specifies a range that matches from "a" to "z", inclusive. Forms can be mixed, so [abce-g] matches "a", "b", "c", "e", "f" or "g". If the character after the left bracket is an exclamation mark (!), it indicates negation, so the expression [!a-c] matches any character except "a", "b", or "c".

Within a bracket expression, the *, ? and \ characters match themselves. The (-) character matches itself if it is either the first character within the brackets or the first character after the !, if negating.

{} Represents a group of subpatterns. The group matches if any subpattern in the group matches. Uses a comma (",") to separate subpatterns. Groups can't be nested.
\ Escapes characters that would otherwise be interpreted as special characters.

For example, the expression "\\" matches a single backslash and "\{" matches a left brace.

The forward slash (/) represents the directory separator on all platforms.