-
Suggestion
-
Resolution: Fixed
-
87
-
As a project or repo admin I can define a branch/tag naming scheme that is enforced so that only conforming branch or tag names can be created.
This could be in the form of an extension to the branching model, or possibly implemented as a plugin (this sentence was added by Roger Barnes)
Additional acceptance criteria:
- full regular expression syntax can be used for branch/tag names
- is cloned from
-
- Closed
- is duplicated by
-
- Closed
-
- Closed
- relates to
-
BSERV-7503 "Prevent changes without a pull request" restriction doesn't prevent initial commit
-
- Closed
-
- mentioned in
-
Page Failed to load
-
Page Loading...
-
-
-
-
| Form Name | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
[BSERV-4208] Restrict addition of branches and tags by name
> scriptRunner is a pre-recieve hook, if a branch is created within Bitbucket it will not trigger scriptrunner.
This is not quite true. In previous versions we provided both an event listener and a pre-receive hook so that it would be enforced from both places.
In recent Bitbucket versions they changed the API, and the hook is called from both the UI and the pre-receive hook. Therefore it's sufficient to just add the pre-receive hook now, in ScriptRunner.
scriptRunner is a pre-recieve hook, if a branch is created within Bitbucket it will not trigger scriptrunner.
Personally, I think it's incredibly frustrating for Atlassian to (essentially) require their customers to purchase dozens of paid add-ons just to implement basic functionality in their products.
The ability to use regular expression patterns to control branch and tag access should be a basic feature of the core product.
Atlassian has a gentlemen's agreement with the add-on ecosystem that they will not make something a built-in feature if it already exists as an add-on.
I used ScriptRunner to block tags, with this regex:
^(?!(port|ported|to_port)$).*
Result:
± |develop ✓| → git tag port ; git push origin port Total 0 (delta 0), reused 0 (delta 0) remote: remote: ===================================================================== remote: Tags named "port", "ported", "to_port" are not allowed in this repository. remote: ===================================================================== remote: remote: To ssh://**********.git ! [remote rejected] port -> port (pre-receive hook declined) error: failed to push some refs to 'ssh://**********.git'
Akul Bhatnagar
added a comment - +1 to make it a in-built feature The YACC plugin also supports the restriction of branch creation via regex.
The issue described in BSERV-7503 was closed and we are told to vote for this issue as an alternate solution to the problem. This issue isn't the same as BSERV-7503. This issue is only about preventing branch name creation that doesn't meet a specific naming pattern. That can be accomplished using ScriptRunner for Stash.
In BSERV-7503, the issue isn't about branch creation, it's about a commit being pushed to a branch and being correctly blocked. I would expect BSERV-4208 to block the push -u lines in both example below if the branch name doesn't meet the rules. However if the naming rules rules are met and I have branch restrictions set to block commits without a pull request then BSERV-7503 should block the second sequence shown below as it pushes a new commit
git clone repo # Repo has commits without a PR blocked for feature/branch*
git checkout master
git checkout -b feature/branch1 # Create a branch that conforms to branch name policy
git push -u origin feature/branch1 # Push that branch name.
touch file1 # Create a file
git add -A # Add the file
git commit -m "Blocked commit" # Commit the file
git push # Push is blocked as it's a commit without a pull request
However with the same branch restriction, to block commits without a pull request, the sequence shown below, which is logically the same as the above will allow the commit to be pushed which IMO is incorrect.
git clone repo # Repo has commits without a PR blocked for feature/branch*
git checkout master
git checkout -b feature/branch2 # Create a branch that conforms to branch name policy
touch file2 # Create a file
git add -A # Add the file
git commit -m "Unblocked commit" # Commit the file
git push -u origin feature/branch2 # Push succeeds even with the branch restriction
IMO both sequences should have blocked the commit from being pushed. I understand that someone could circumvent the push restriction by using the push of just a branch after they have pushed to a non-blocked branch.
I'm not worried about a malicious attempt to push code without a pull request, I'm worried about the accidental case. The second sequence of events is likely to be a much more common workflow than the first. It's shorter and is likely a common sequence of commands. Unfortunately it will also allow a protected branch to have a commit pushed to it which I believe is incorrect.
Anna
added a comment - I have an add-on that restricts creating branches out of repository's branching model scope. Give it a try if you like:
Anna
added a comment - I have an add-on that restricts creating branches out of repository's branching model scope. Give it a try if you like:
https://marketplace.atlassian.com/plugins/com.parallels.bitbucket.plugins.restrictbranchmodel/server/overview We recently released a new plugin that supports naming schemes for branches and tags, and also repos and projects - ScriptRunner for Stash.
It provides a pre-receive hook where you can supply one or more regexes for branches and tags. You could also use conditions, such as permission level of the person pushing, to allow for different naming schemes within the same repo, or to allow administrators to override.
Docs are here.
Our free Control Freak plugin can enforce branch naming and tag naming policies based on regex or other rules.