-
Suggestion
-
Resolution: Unresolved
I've had a few instances where developers have pushed tags accidentally/in error. After this point it's really difficult to get rid of them in a big team as - once they're on the remote - they tend to keep reappearing even if they're deleted as other developers end up with them in their local repos and re-pushing them accidentally.
It would be amazing if it was possible to restrict who had permission to push tags to a Bitbucket hosted Git repo in the first place to stop this happening.
Also, due to compliance and permissions policy requirements, its critical to give the ability to Workspace/Project or Repo Admins to limit number of users who can manipulate Tags, example: by adding or removing a tag.
- duplicates
-
- Closed
| Form Name | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
[BCLOUD-10967] Restrict Pushing Git Tags to Certain Users in a Bitbucket Repo (BB-12083)
This ticket had it's 10 years anniversary and this fundamental feature, which every other git server (gerrit, github, gitlab, gitea etc.) has since years, is still marked as "suggestion".
All of the mentioned workarounds are useless, since they can not prevent tags from being pushed, overwritten or removed.
So years have passed by and still the only acceptable solution is not to use Bitbucket Cloud if tags are important...
Hello ff7973bfbacf
I've tested `/refs/tags/*` approach with branch restrictions in Bitbucket Cloud - got fruitless result.
Regular user with R\W access was able to push tag to master branch tip.
Could you please share way how you achieved?
It would be enough to be able to use branch permissions to control /refs/tags/*.
The use case is to prevent any user being able to rewrite (force push) or delete tags. Doing so violates assumptions in our release system which seem reasonable and they could be enforced in all major competing products.
Hi all, it’s Julen from the Bitbucket Cloud product team. We have reviewed this request and are actively looking into when we can fit this work in the future. In the short term, here are some potential workarounds to this problem:
- We are a few weeks away from shipping Forge based pre-merge checks. With these you could create pre-merge checks to only allow certain users to merge new tags.
- Implementing pre-commit hooks that stop pushing of tags. You can have a master file that contains all approved tags and have pre-commit hook to check all tags against this list.
- Instead of deleting old tags, deprecate tags, and create new ones.
"Tags in BB cloud cannot be removed once added (except to do so locally in Git)"
For me this is the worst part because for aerospace, the authority requires tags to be read-only
Our team has migrated from Bitbucket Server and this feature is really important for us. As everybody already said, it's impossible to get rid of some tags as it's resent to remote by accident by some Dev.
This is a way to overcome issues from https://jira.atlassian.com/browse/BCLOUD-22675
Please prioritize.
This type of thing is super frustrating. This is basic functionality and I'm trying to wrap my head around how:
- Tags are traditionally and commonly used for release versioning
- Tags in BB cloud cannot be removed once added (except to do so locally in Git)
- Anyone can add tags with no restrictions or permission assignments required
I mean, that is crazy to me. If BB cloud isn't production ready, then just say so and let us keep using BB server.
Team, please prioritize this feature. This is very important from a security point of view.
This is an important feature for any setup where CI/CD actions are triggered via tags. Please prioritize!
It would be really great if one could restrict this globally, or even better restrict certain tags like "release-*".
+1
This is really needed when a tag is used for production deployment.
This feature request is created 8 years ago, how long will it take?
This issue has gathered enough interest to be moved automatically to Reviewing status, where it will be reviewed to someone in the relevant product development team and moved on to the appropriate status.
i wish i never complained about this.
this is the worst spam mailing list ever
make it stop
We want to use tag for marking production commit.
So, this feature is required.
Has anyone figured out a workaround to this? Since we cannot implement pre-receive hooks in Bitbucket cloud it doesn't seem possible.
Can Atlassian extend the 'Branch Permissions' in Bitbucket cloud to support tag patterns like `refs/tags/*` ?
We trigger build+deploy from an existing tag, that only certain senior developers should have permission to 'move'.
Sadly an important feature where Bitbucket Cloud is lagging behind... e.g. compared to GitLab https://docs.gitlab.com/ee/user/project/protected_tags.html
As already described by previous comments, tags are increasingly used as part of work process, and in particular as specific automatic triggers of CI/CD.
This highlights the needs for ability to define permission settings on tags on remote, especially now that Bitbucket is moving to promote usage of automatic pipelines.
+1
Being unable to control permissions on tags has just cost our team (again).
TBH We're fast reaching the point where leaving Bitbucket Cloud makes much more sense than staying.
Separate tag permissions would help git gain more traction in the professional, process driven world, where it is not acceptable that tags are mutable. (See safety case)
Jira has a forum about the BC concept that includes restricting pushing Git tags too certain to get the users in a Bitbucket. It has the unassigned, the brand permissions. You have to visit https://www.proessaywriting.com/paper-writing/ to complete your daily assignments. You can get the associated tags that develops it. Join them for more.
Never mind. We migrated away from Bitbucket after waiting 6 years for this simple feature.
Thanks anyway though ;p
+1 we can't do any tag based releases either unless there are some restrictions around tagging (like immutable tagging, restricted to certain users etc..)
+1 We have a tag-based release pipeline and it is super important for us to be able to limit who can push tags to the repository.
I agree with your point of view! I think there will be a solution for sure. We are unable to figure it out. You can get easily buy dissertations to get reliable data from us. My aunt is a software developer, I will ask her if she can help.
This would be very helpful in allowing our team to drive automation and allow for proper governance around tags.
This would be nice. It's particularly problematic in scenarios where you've squashed history and open sourced a repository, and you want to have a way of stopping people pushing old tags back to the repo.
Seems critical for a tag-based release process. Difficult to see how any controlled release process could really work without this.
0ac8075348d9 Don´t get stressed, do like me, change to Github and be happy
Talk to Atlassian and talk to your hands are the same