Page MenuHomePhabricator

Configure what counts as a "dangerous change"
Closed, ResolvedPublic


Our workflow involves users creating feature branches and deleting them after they land in the release branch. Branch deletes are flagged as a dangerous change so our options today are to disable that (and risk --force hell) or periodically disable it, prune branches, and enable again. Not ideal.

I propose we allow repo admins to configure what counts as dangerous.

Checkbox config to allow specific subsets of dangerous operations.

  • Allow branch deletions?
  • Allow tag updates?

Event Timeline

jpoehls created this task.Apr 15 2015, 7:21 AM
jpoehls renamed this task from Additional "dangerous changes" config options to Configure what counts as a "dangerous change".
jpoehls raised the priority of this task from to Needs Triage.
jpoehls updated the task description. (Show Details)
jpoehls added a project: Diffusion.
jpoehls added a subscriber: jpoehls.

You can configure branch-level protection by allowing dangerous changes and then writing a Herald rule to protect specific branches. For example:

For: Commit Hook: Branches/Tags/Bookmarks
Type: Global
When [all of] these conditions are met:
  [Ref type][is][branch]
  [Ref name][is][master]
  [Ref change type][has bit][dangerous change]
Take these actions:
  [Block change with message:][You can not rewrite or delete "master".]

You can be more or less specific about which actions you allow, and you can use "Ref name matches regexp" to match a bunch of branches with a single rule. You can also write rules which let some users delete branches (e.g., more experienced users) but not others (e.g., prevent new hires or bots from doing --force pushes).

jpoehls closed this task as Resolved.Apr 15 2015, 12:00 PM
jpoehls claimed this task.

Well that was fast... And sounds perfect. Thanks!