Our workflow involves users creating feature branches and deleting them after they land in the release branch. Branch deletes are flagged as a dangerous change so our options today are to disable that (and risk --force hell) or periodically disable it, prune branches, and enable again. Not ideal.
I propose we allow repo admins to configure what counts as dangerous.
Checkbox config to allow specific subsets of dangerous operations.
You can configure branch-level protection by allowing dangerous changes and then writing a Herald rule to protect specific branches. For example:
For: Commit Hook: Branches/Tags/Bookmarks Type: Global When [all of] these conditions are met: [Ref type][is][branch] [Ref name][is][master] [Ref change type][has bit][dangerous change] Take these actions: [Block change with message:][You can not rewrite or delete "master".]
You can be more or less specific about which actions you allow, and you can use "Ref name matches regexp" to match a bunch of branches with a single rule. You can also write rules which let some users delete branches (e.g., more experienced users) but not others (e.g., prevent new hires or bots from doing --force pushes).