Commit 563849fc authored by Amy Qualls's avatar Amy Qualls Committed by Fiona Neill

Finish clarifying confidential merge requests

parent 2d89bff9
...@@ -11,11 +11,11 @@ info: To determine the technical writer assigned to the Stage/Group associated w ...@@ -11,11 +11,11 @@ info: To determine the technical writer assigned to the Stage/Group associated w
Merge requests in a public repository are also public, even when the merge Merge requests in a public repository are also public, even when the merge
request is created for a [confidential issue](../issues/confidential_issues.md). request is created for a [confidential issue](../issues/confidential_issues.md).
To avoid leaking confidential information when working on a confidential issue, To avoid leaking confidential information when working on a confidential issue,
create your merge request from a private fork. create your merge request from a private fork in the same namespace.
Roles are inherited from parent groups. If you create your private fork in the Roles are inherited from parent groups. If you create your private fork in the
same group or subgroup as the original (public) repository, developers receive same namespace (same group or subgroup) as the original (public) repository,
the same permissions in your fork. This inheritance ensures: developers receive the same permissions in your fork. This inheritance ensures:
- Developer users have the needed permissions to view confidential issues and resolve them. - Developer users have the needed permissions to view confidential issues and resolve them.
- You do not need grant individual users access to your fork. - You do not need grant individual users access to your fork.
...@@ -24,13 +24,17 @@ The [security practices for confidential merge requests](https://gitlab.com/gitl ...@@ -24,13 +24,17 @@ The [security practices for confidential merge requests](https://gitlab.com/gitl
## Create a confidential merge request ## Create a confidential merge request
WARNING:
To create a confidential merge request, you must create a private fork. This fork
may expose confidential information, if you create your fork in another namespace
that may have other members.
Branches are public by default. To protect the confidentiality of your work, you Branches are public by default. To protect the confidentiality of your work, you
must create your changes in a private fork. must create your branches and merge requests in the same namespace, but downstream
in a private fork. If you create your private fork in the same namespace as the
public repository, your fork inherits the permissions of the upstream public repository.
Users with the Developer role in the upstream public repository inherit those upstream
permissions in your downstream private fork without action by you. These users can
immediately push code to branches in your private fork to help fix the confidential issue.
WARNING:
Your private fork may expose confidential information, if you create it in a different
namespace than the upstream repository. The two namespaces may not contain the same users.
Prerequisites: Prerequisites:
...@@ -56,16 +60,15 @@ To create a confidential merge request: ...@@ -56,16 +60,15 @@ To create a confidential merge request:
branches must be available in your selected fork. branches must be available in your selected fork.
1. Select **Create**. 1. Select **Create**.
If you created a branch in your private fork, users with the Developer role in the This merge request targets your private fork, not the public upstream project.
public repository can push code to that branch in your private fork to fix the Your branch, merge requests, and commits remain in your private fork. This prevents
confidential issue. prematurely revealing confidential information.
As your merge request targets your private fork, not the public upstream project, Open a merge request
your branch, merge request, and commits do not enter the public repository. This [from your fork to the upstream repository](../repository/forking_workflow.md#merging-upstream) when:
prevents prematurely revealing confidential information.
To make a confidential commit public, open a merge request from the private fork - You are satisfied the problem is resolved in your private fork.
to the public upstream project. - You are ready to make the confidential commits public.
## Related links ## Related links
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment