Merge branch '340403-migrate-default-branch-protection-to-repository-settings' into 'master'

Move default branch protection to repository settings See merge request gitlab-org/gitlab!81012

Merge branch '340403-migrate-default-branch-protection-to-repository-settings' into 'master'
Move default branch protection to repository settings See merge request gitlab-org/gitlab!81012
9ec1872a · Phil Hughes · e87db2ad · 1a820626 · 9ec1872a · 9ec1872a
Commit 9ec1872a authored Mar 07, 2022 by Phil Hughes
17 changed files
--- a/app/views/admin/application_settings/_initial_branch_name.html.haml
+++ b/app/views/admin/application_settings/_initial_branch_name.html.haml
-= form_for @application_setting, url: repository_admin_application_settings_path(anchor: 'js-default-branch-name'), html: { class: 'fieldset-form' } do |f|
+= gitlab_ui_form_for @application_setting, url: repository_admin_application_settings_path(anchor: 'js-default-branch-name'), html: { class: 'fieldset-form' } do |f|
  = form_errors(@application_setting)

  - fallback_branch_name = "<code>#{Gitlab::DefaultBranch.value}</code>"

  %fieldset
    .form-group
-      = f.label :default_branch_name, _('Default initial branch name'), class: 'label-light'
+      = f.label :default_branch_name, _('Initial default branch name'), class: 'label-light'
      = f.text_field :default_branch_name, placeholder: Gitlab::DefaultBranch.value, class: 'form-control gl-form-input'
      %span.form-text.text-muted
        = (s_("AdminSettings|If not specified at the group or instance level, the default is %{default_initial_branch_name}. Does not affect existing repositories.") % { default_initial_branch_name: fallback_branch_name } ).html_safe

+    = render 'shared/default_branch_protection', f: f
+
+    = render_if_exists 'admin/application_settings/group_owners_can_manage_default_branch_protection_setting', form: f
+
  = f.submit _('Save changes'), class: 'gl-button btn-confirm'
--- a/app/views/admin/application_settings/_visibility_and_access.html.haml
+++ b/app/views/admin/application_settings/_visibility_and_access.html.haml
@@ -2,9 +2,6 @@
  = form_errors(@application_setting)

  %fieldset
-    = render 'shared/default_branch_protection', f: f
-    = render_if_exists 'admin/application_settings/group_owners_can_manage_default_branch_protection_setting', form: f
-
    = render 'shared/project_creation_levels', f: f, method: :default_project_creation, legend: s_('ProjectCreationLevel|Default project creation protection')
    = render_if_exists 'admin/application_settings/default_project_deletion_protection_setting', form: f
    = render_if_exists 'admin/application_settings/default_delayed_project_deletion_setting', form: f

--- a/app/views/admin/application_settings/repository.html.haml
+++ b/app/views/admin/application_settings/repository.html.haml
@@ -5,13 +5,13 @@
 %section.settings.as-default-branch-name.no-animate#js-default-branch-name{ class: ('expanded' if expanded_by_default?) }
  .settings-header
    %h4
-      = _('Default initial branch name')
+      = _('Default branch')
    %button.btn.gl-button.btn-default.js-settings-toggle{ type: 'button' }
      = expanded_by_default? ? _('Collapse') : _('Expand')
    %p
-      = s_('AdminSettings|The default name for the initial branch of new repositories created in the instance.')
+      = s_('AdminSettings|Set the initial name and protections for the default branch of new repositories created in the instance.')
  .settings-content
-    = render 'initial_branch_name'
+    = render 'default_branch'

 %section.settings.as-mirror.no-animate#js-mirror-settings{ class: ('expanded' if expanded_by_default?) }
  .settings-header

--- a/app/views/groups/settings/_permissions.html.haml
+++ b/app/views/groups/settings/_permissions.html.haml
@@ -35,7 +35,6 @@
    = render_if_exists 'groups/settings/ip_restriction', f: f, group: @group
    = render_if_exists 'groups/settings/allowed_email_domain', f: f, group: @group
    = render 'groups/settings/lfs', f: f
-    = render 'groups/settings/default_branch_protection', f: f, group: @group
    = render 'groups/settings/project_creation_level', f: f, group: @group
    = render 'groups/settings/subgroup_creation_level', f: f, group: @group
    = render_if_exists 'groups/settings/prevent_forking', f: f, group: @group

--- a/app/views/groups/settings/repository/_initial_branch_name.html.haml
+++ b/app/views/groups/settings/repository/_initial_branch_name.html.haml
 %section.settings.as-default-branch-name.no-animate#js-default-branch-name{ class: ('expanded' if expanded_by_default?) }
  .settings-header
    %h4.settings-title.js-settings-toggle.js-settings-toggle-trigger-only
-      = _('Default initial branch name')
+      = _('Default branch')
    %button.gl-button.js-settings-toggle{ type: 'button' }
      = expanded_by_default? ? _('Collapse') : _('Expand')
    %p
-      = s_('GroupSettings|The default name for the initial branch of new repositories created in the group.')
+      = s_('GroupSettings|Set the initial name and protections for the default branch of new repositories created in the group.')
  .settings-content
-    = form_for @group, url: group_path(@group, anchor: 'js-default-branch-name'), html: { class: 'fieldset-form' } do |f|
+    = gitlab_ui_form_for @group, url: group_path(@group, anchor: 'js-default-branch-name'), html: { class: 'fieldset-form' } do |f|
      = form_errors(@group)
      - fallback_branch_name = "<code>#{Gitlab::DefaultBranch.value(object: @group)}</code>"

      %fieldset
        .form-group
-          = f.label :default_branch_name, _('Default initial branch name'), class: 'label-light'
+          = f.label :default_branch_name, _('Initial default branch name'), class: 'label-light'
          = f.text_field :default_branch_name, value: group.namespace_settings&.default_branch_name, placeholder: Gitlab::DefaultBranch.value(object: @group), class: 'form-control'
          %span.form-text.text-muted
            = (s_("GroupSettings|If not specified at the group or instance level, the default is %{default_initial_branch_name}. Does not affect existing repositories.") % { default_initial_branch_name: fallback_branch_name }).html_safe

-      = f.hidden_field :redirect_target, value: "repository_settings"
-      = f.submit _('Save changes'), class: 'btn gl-button btn-confirm'
+        = render 'groups/settings/default_branch_protection', f: f, group: @group
+
+        = f.hidden_field :redirect_target, value: "repository_settings"
+        = f.submit _('Save changes'), class: 'btn gl-button btn-confirm'
--- a/app/views/groups/settings/repository/show.html.haml
+++ b/app/views/groups/settings/repository/show.html.haml
@@ -4,4 +4,4 @@
 - deploy_token_description = s_('DeployTokens|Group deploy tokens allow access to the packages, repositories, and registry images within the group.')

 = render "shared/deploy_tokens/index", group_or_project: @group, description: deploy_token_description
-= render "initial_branch_name", group: @group
+= render "default_branch", group: @group
--- a/app/views/shared/_default_branch_protection.html.haml
+++ b/app/views/shared/_default_branch_protection.html.haml
-%fieldset.form-group
-  %legend.h5.gl-border-none.gl-mt-0.gl-mb-3= _('Default branch protection')
+.form-group
+  %legend.h5.gl-border-none.gl-mt-0.gl-mb-3= _('Initial default branch protection')
  - Gitlab::Access.protection_options.each do |option|
    = f.gitlab_ui_radio_component :default_branch_protection, option[:value], option[:label], help_text: option[:help_text]
--- a/doc/user/admin_area/settings/index.md
+++ b/doc/user/admin_area/settings/index.md
@@ -170,6 +170,8 @@ The **Repository** settings contain:

 - [Repository's custom initial branch name](../../project/repository/branches/default.md#instance-level-custom-initial-branch-name) -
  Set a custom branch name for new repositories created in your instance.
+- [Repository's initial default branch protection](../../project/repository/branches/default.md#instance-level-default-branch-protection) -
+  Configure the branch protections to apply to every repository's default branch.
 - [Repository mirror](visibility_and_access_controls.md#enable-project-mirroring) -
  Configure repository mirroring.
 - [Repository storage](../../../administration/repository_storage_types.md) - Configure storage path settings.

--- a/doc/user/admin_area/settings/visibility_and_access_controls.md
+++ b/doc/user/admin_area/settings/visibility_and_access_controls.md
@@ -17,54 +17,6 @@ To access the visibility and access control options:
 1. On the left sidebar, select **Settings > General**.
 1. Expand the **Visibility and access controls** section.

-## Protect default branches
-
-With this option, you can define [branch protections](../../project/protected_branches.md)
-to apply to every repository's [default branch](../../project/repository/branches/default.md).
-These protections specify the user roles with permission to push to default branches.
-
-This setting applies only to each repository's default branch. To protect other branches,
-you must configure [branch protection in the repository](../../project/protected_branches.md),
-or configure [branch protection for groups](../../group/index.md#change-the-default-branch-protection-of-a-group).
-
-To change the default branch protection for the entire instance:
-
-1. Sign in to GitLab as a user with Administrator access level.
-1. On the top bar, select **Menu > Admin**.
-1. On the left sidebar, select **Settings > General**.
-1. Expand the **Visibility and access controls** section.
-1. Select a **Default branch protection**:
-   - **Not protected** - Both developers and maintainers can push new commits
-     and force push.
-   - **Protected against pushes** - Developers cannot push new commits, but are
-     allowed to accept merge requests to the branch. Maintainers can push to the branch.
-   - **Partially protected** - Both developers and maintainers can push new commits,
-     but cannot force push.
-   - **Fully protected** - Developers cannot push new commits, but maintainers can.
-     No one can force push.
-1. To allow group owners to override the instance's default branch protection, select
-   [**Allow owners to manage default branch protection per group**](#prevent-overrides-of-default-branch-protection).
-1. Select **Save changes**.
-
-### Prevent overrides of default branch protection **(PREMIUM SELF)**
-
-> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/211944) in GitLab 13.0.
-
-Instance-level protections for [default branch](../../project/repository/branches/default.md)
-can be overridden on a per-group basis by the group's owner. In
-[GitLab Premium or higher](https://about.gitlab.com/pricing/), GitLab administrators can
-disable this privilege for group owners, enforcing the instance-level protection rule:
-
-1. Sign in to GitLab as a user with Administrator access level.
-1. On the top bar, select **Menu > Admin**.
-1. On the left sidebar, select **Settings > General**.
-1. Expand the **Visibility and access controls** section.
-1. Clear the **Allow owners to manage default branch protection per group** checkbox.
-1. Select **Save changes**.
-
-NOTE:
-GitLab administrators can still update the default branch protection of a group.
-
 ## Define which roles can create projects

 Instance-level protections for project creation define which roles can

--- a/doc/user/group/index.md
+++ b/doc/user/group/index.md
@@ -204,24 +204,17 @@ A to-do item is created for all the group and subgroup members.

 ## Change the default branch protection of a group

-> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/7583) in GitLab 12.9.
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/7583) in GitLab 12.9.
+> - [Settings moved and renamed](https://gitlab.com/gitlab-org/gitlab/-/issues/340403) in GitLab 14.9.

 By default, every group inherits the branch protection set at the global level.

-To change this setting for a specific group:
-
-1. On the top bar, select **Menu > Groups**.
-1. Select **Your Groups**.
-1. Find the group and select it.
-1. From the left menu, select **Settings > General**.
-1. Expand the **Permissions and group features** section.
-1. Select the desired option in the **Default branch protection** dropdown list.
-1. Select **Save changes**.
+To change this setting for a specific group, see [group level default branch protection](../project/repository/branches/default.md#group-level-default-branch-protection).

-To change this setting globally, see [Default branch protection](../admin_area/settings/visibility_and_access_controls.md#protect-default-branches).
+To change this setting globally, see [initial default branch protection](../project/repository/branches/default.md#instance-level-default-branch-protection).

 NOTE:
-In [GitLab Premium or higher](https://about.gitlab.com/pricing/), GitLab administrators can choose to [disable group owners from updating the default branch protection](../admin_area/settings/visibility_and_access_controls.md#prevent-overrides-of-default-branch-protection).
+In [GitLab Premium or higher](https://about.gitlab.com/pricing/), GitLab administrators can choose to [disable group owners from updating the default branch protection](../project/repository/branches/default.md#prevent-overrides-of-default-branch-protection).

 ## Add projects to a group


--- a/doc/user/project/protected_branches.md
+++ b/doc/user/project/protected_branches.md
@@ -29,7 +29,7 @@ When a branch is protected, the default behavior enforces these restrictions on
 ### Set the default branch protection level

 Administrators can set a default branch protection level in the
-[Admin Area](../admin_area/settings/visibility_and_access_controls.md#protect-default-branches).
+[Admin Area](../project/repository/branches/default.md#instance-level-default-branch-protection).

 ## Configure a protected branch


--- a/doc/user/project/repository/branches/default.md
+++ b/doc/user/project/repository/branches/default.md
@@ -81,13 +81,83 @@ overrides it.
 Users with at least the Owner role of groups and subgroups can configure the default branch name for a group:

 1. Go to the group **Settings > Repository**.
-1. Expand **Default initial branch name**.
+1. Expand **Default branch**.
 1. Change the default initial branch to a custom name of your choice.
 1. Select **Save changes**.

 Projects created in this group after you change the setting use the custom branch name,
 unless a subgroup configuration overrides it.

+## Protect initial default branches **(FREE SELF)**
+
+GitLab administrators and group owners can define [branch protections](../../../project/protected_branches.md)
+to apply to every repository's [default branch](#default-branch)
+at the [instance level](#instance-level-default-branch-protection) and
+[group level](#group-level-default-branch-protection) with one of the following options:
+
+- **Not protected** - Both developers and maintainers can push new commits
+   and force push.
+- **Protected against pushes** - Developers cannot push new commits, but are
+   allowed to accept merge requests to the branch. Maintainers can push to the branch.
+- **Partially protected** - Both developers and maintainers can push new commits,
+   but cannot force push.
+- **Fully protected** - Developers cannot push new commits, but maintainers can.
+   No one can force push.
+
+### Instance-level default branch protection **(FREE SELF)**
+
+This setting applies only to each repository's default branch. To protect other branches,
+you must either:
+
+- Configure [branch protection in the repository](../../../project/protected_branches.md).
+- Configure [branch protection for groups](../../../group/index.md#change-the-default-branch-protection-of-a-group).
+
+Administrators of self-managed instances can customize the initial default branch protection for projects hosted on that instance. Individual
+groups and subgroups can override this instance-wide setting for their projects.
+
+1. On the top bar, select **Menu > Admin**.
+1. On the left sidebar, select **Settings > Repository**.
+1. Expand **Default branch**.
+1. Select [**Initial default branch protection**](#protect-initial-default-branches).
+1. To allow group owners to override the instance's default branch protection, select
+   [**Allow owners to manage default branch protection per group**](#prevent-overrides-of-default-branch-protection).
+1. Select **Save changes**.
+
+#### Prevent overrides of default branch protection **(PREMIUM SELF)**
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/211944) in GitLab 13.0.
+
+Instance-level protections for default branches
+can be overridden on a per-group basis by the group's owner. In
+[GitLab Premium or higher](https://about.gitlab.com/pricing/), GitLab administrators can
+disable this privilege for group owners, enforcing the instance-level protection rule:
+
+1. On the top bar, select **Menu > Admin**.
+1. On the left sidebar, select **Settings > Repository**.
+1. Expand the **Default branch** section.
+1. Clear the **Allow owners to manage default branch protection per group** checkbox.
+1. Select **Save changes**.
+
+NOTE:
+GitLab administrators can still update the default branch protection of a group.
+
+### Group-level default branch protection **(PREMIUM)**
+
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/7583) in GitLab 12.9.
+> - [Settings moved and renamed](https://gitlab.com/gitlab-org/gitlab/-/issues/340403) in GitLab 14.9.
+
+Instance-level protections for [default branch](#default-branch)
+can be overridden on a per-group basis by the group's owner. In
+[GitLab Premium or higher](https://about.gitlab.com/pricing/), GitLab administrators can
+[enforce protection of initial default branches](#prevent-overrides-of-default-branch-protection)
+which locks this setting for group owners.
+
+1. On the top bar, select **Menu > Groups** and find your group.
+1. On the left sidebar, select **Settings > Repository**.
+1. Expand **Default branch**.
+1. Select [**Initial default branch protection**](#protect-initial-default-branches).
+1. Select **Save changes**.
+
 ## Update the default branch name in your repository

 WARNING:

--- a/ee/app/views/admin/application_settings/_group_owners_can_manage_default_branch_protection_setting.html.haml
+++ b/ee/app/views/admin/application_settings/_group_owners_can_manage_default_branch_protection_setting.html.haml
@@ -5,4 +5,6 @@
 .form-group.form-check
  = f.check_box :group_owners_can_manage_default_branch_protection, class: 'form-check-input'
  = f.label :group_owners_can_manage_default_branch_protection, class: 'form-check-label' do
-    = _('Allow owners to manage default branch protection per group')
+    = _('Allow owners to manage default branch protection per group.')
+    .form-text.text-muted
+      = s_("AdminSettings|Affects all new and existing groups.")
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -2589,6 +2589,9 @@ msgstr ""
 msgid "AdminSettings|A Let's Encrypt account will be configured for this GitLab instance using this email address. You will receive emails to warn of expiring certificates. %{link_start}Learn more.%{link_end}"
 msgstr ""

+msgid "AdminSettings|Affects all new and existing groups."
+msgstr ""
+
 msgid "AdminSettings|All new projects can use the instance's shared runners by default."
 msgstr ""

@@ -2664,6 +2667,9 @@ msgstr ""
 msgid "AdminSettings|Set a CI/CD template as the required pipeline configuration for all projects in the instance. Project CI/CD configuration merges into the required pipeline configuration when the pipeline runs. %{link_start}What is a required pipeline configuration?%{link_end}"
 msgstr ""

+msgid "AdminSettings|Set the initial name and protections for the default branch of new repositories created in the instance."
+msgstr ""
+
 msgid "AdminSettings|Set the maximum size of GitLab Pages per project (0 for unlimited). %{link_start}Learn more.%{link_end}"
 msgstr ""

@@ -2673,9 +2679,6 @@ msgstr ""
 msgid "AdminSettings|The default domain to use for Auto Review Apps and Auto Deploy stages in all projects."
 msgstr ""

-msgid "AdminSettings|The default name for the initial branch of new repositories created in the instance."
-msgstr ""
-
 msgid "AdminSettings|The latest artifacts for all jobs in the most recent successful pipelines in each project are stored and do not expire."
 msgstr ""

@@ -3591,7 +3594,7 @@ msgstr ""
 msgid "Allow only the selected protocols to be used for Git access."
 msgstr ""

-msgid "Allow owners to manage default branch protection per group"
+msgid "Allow owners to manage default branch protection per group."
 msgstr ""

 msgid "Allow owners to manually add users outside of LDAP"
@@ -11564,9 +11567,6 @@ msgstr ""
 msgid "Default branch and protected branches"
 msgstr ""

-msgid "Default branch protection"
-msgstr ""
-
 msgid "Default delayed project deletion"
 msgstr ""

@@ -11585,9 +11585,6 @@ msgstr ""
 msgid "Default first day of the week in calendars and date pickers."
 msgstr ""

-msgid "Default initial branch name"
-msgstr ""
-
 msgid "Default project deletion protection"
 msgstr ""

@@ -17662,13 +17659,13 @@ msgstr ""
 msgid "GroupSettings|Select the project that contains your custom Insights file."
 msgstr ""

-msgid "GroupSettings|Set the maximum size of GitLab Pages for this group. %{link_start}Learn more.%{link_end}"
+msgid "GroupSettings|Set the initial name and protections for the default branch of new repositories created in the group."
 msgstr ""

-msgid "GroupSettings|The Auto DevOps pipeline runs if no alternative CI configuration file is found."
+msgid "GroupSettings|Set the maximum size of GitLab Pages for this group. %{link_start}Learn more.%{link_end}"
 msgstr ""

-msgid "GroupSettings|The default name for the initial branch of new repositories created in the group."
+msgid "GroupSettings|The Auto DevOps pipeline runs if no alternative CI configuration file is found."
 msgstr ""

 msgid "GroupSettings|The projects in this subgroup can be selected as templates for new projects created in the group. %{link_start}Learn more.%{link_end}"
@@ -19604,6 +19601,12 @@ msgstr ""
 msgid "Inherited:"
 msgstr ""

+msgid "Initial default branch name"
+msgstr ""
+
+msgid "Initial default branch protection"
+msgstr ""
+
 msgid "Inline"
 msgstr ""


--- a/spec/features/groups/settings/repository_spec.rb
+++ b/spec/features/groups/settings/repository_spec.rb
@@ -26,7 +26,7 @@ RSpec.describe 'Group Repository settings' do
    end
  end

-  context 'Default initial branch name' do
+  context 'Default branch' do
    before do
      visit group_settings_repository_path(group)
    end
@@ -37,8 +37,8 @@ RSpec.describe 'Group Repository settings' do

    it 'renders the correct setting section content' do
      within("#js-default-branch-name") do
-        expect(page).to have_content("Default initial branch name")
-        expect(page).to have_content("The default name for the initial branch of new repositories created in the group.")
+        expect(page).to have_content("Default branch")
+        expect(page).to have_content("Set the initial name and protections for the default branch of new repositories created in the group.")
      end
    end
  end

--- a/spec/features/groups/settings/user_searches_in_settings_spec.rb
+++ b/spec/features/groups/settings/user_searches_in_settings_spec.rb
@@ -32,7 +32,7 @@ RSpec.describe 'User searches group settings', :js do
      visit group_settings_repository_path(group)
    end

-    it_behaves_like 'can search settings', 'Deploy tokens', 'Default initial branch name'
+    it_behaves_like 'can search settings', 'Deploy tokens', 'Default branch'
  end

  context 'in CI/CD page' do

--- a/spec/views/admin/application_settings/repository.html.haml_spec.rb
+++ b/spec/views/admin/application_settings/repository.html.haml_spec.rb
@@ -21,8 +21,9 @@ RSpec.describe 'admin/application_settings/repository.html.haml' do
    it 'renders the correct setting section content' do
      render

-      expect(rendered).to have_content("Default initial branch name")
-      expect(rendered).to have_content("The default name for the initial branch of new repositories created in the instance.")
+      expect(rendered).to have_content("Initial default branch name")
+      expect(rendered).to have_content("Set the initial name and protections for the default branch of new repositories created in the instance.")
+      expect(rendered).to have_content("Initial default branch protection")
    end
  end
 end