MokoConsulting/MokoGitea-Fork
1
0
Fork 0
Code Issues 138 Pull Requests Releases 96 Wiki Activity

feat: add delete whitelist to branch protection rules #696

New Issue
Closed
opened 2026-06-25 13:20:46 +00:00 by jmiller · 2 comments
jmiller commented 2026-06-25 13:20:46 +00:00
Owner
Copy Link
Copy Source

Problem

Branch protection currently blocks all deletion of protected branches with no whitelist mechanism. The pre-receive hook unconditionally blocks deletion. This prevents workflows like auto-release from cleaning up ephemeral branches (e.g. rc).

Solution

Add a delete whitelist following the same pattern as force-push allowlist:

  • CanDelete, EnableDeleteAllowlist, DeleteAllowlistUserIDs, DeleteAllowlistTeamIDs, DeleteAllowlistDeployKeys, DeleteAllowlistActionsUser
  • CanUserDelete() method on ProtectedBranch
  • Migration v361
  • API structs, pre-receive hook, branch service, web UI, locale strings

Use Case

The rc branch is ephemeral -- created by promote-rc, deleted by auto-release. It needs push protection while alive but must be deletable by CI.

## Problem Branch protection currently blocks all deletion of protected branches with no whitelist mechanism. The pre-receive hook unconditionally blocks deletion. This prevents workflows like auto-release from cleaning up ephemeral branches (e.g. rc). ## Solution Add a delete whitelist following the same pattern as force-push allowlist: - CanDelete, EnableDeleteAllowlist, DeleteAllowlistUserIDs, DeleteAllowlistTeamIDs, DeleteAllowlistDeployKeys, DeleteAllowlistActionsUser - CanUserDelete() method on ProtectedBranch - Migration v361 - API structs, pre-receive hook, branch service, web UI, locale strings ## Use Case The rc branch is ephemeral -- created by promote-rc, deleted by auto-release. It needs push protection while alive but must be deletable by CI.
jmiller commented 2026-06-27 20:36:35 +00:00
Author
Owner
Copy Link
Copy Source

Implementation complete in PR #706 (feature/delete-whitelistdev).

What was added:

  • 6 new model fields on ProtectedBranch: CanDelete, EnableDeleteAllowlist, DeleteAllowlistUserIDs, DeleteAllowlistTeamIDs, DeleteAllowlistDeployKeys, DeleteAllowlistActionsUser
  • CanUserDelete() method — defaults to admin access when no allowlist is enabled (higher threshold than force-push which defaults to write)
  • Migration v361 adds columns to protected_branch table
  • Pre-receive hook: replaced unconditional deletion block with CanUserDelete check (handles both deploy key and user scenarios)
  • CanDeleteBranch service: uses GetFirstMatchProtectedBranchRule + CanUserDelete instead of IsBranchProtected
  • Full API support (create/edit branch protection endpoints)
  • Web UI settings page with radio buttons (none/all/whitelist) and user/team/deploy-key dropdowns
  • 12 new locale strings

Files changed (13):
models/git/protected_branch.go, models/migrations/migrations.go, models/migrations/v1_27/v361.go, modules/structs/repo_branch.go, options/locale/locale_en-US.json, routers/api/v1/repo/branch.go, routers/private/hook_pre_receive.go, routers/web/repo/setting/protected_branch.go, services/convert/convert.go, services/forms/repo_form.go, services/repository/branch.go, templates/repo/settings/protected_branch.tmpl, CHANGELOG.md

Implementation complete in PR #706 (`feature/delete-whitelist` → `dev`). **What was added:** - 6 new model fields on `ProtectedBranch`: `CanDelete`, `EnableDeleteAllowlist`, `DeleteAllowlistUserIDs`, `DeleteAllowlistTeamIDs`, `DeleteAllowlistDeployKeys`, `DeleteAllowlistActionsUser` - `CanUserDelete()` method — defaults to admin access when no allowlist is enabled (higher threshold than force-push which defaults to write) - Migration v361 adds columns to `protected_branch` table - Pre-receive hook: replaced unconditional deletion block with `CanUserDelete` check (handles both deploy key and user scenarios) - `CanDeleteBranch` service: uses `GetFirstMatchProtectedBranchRule` + `CanUserDelete` instead of `IsBranchProtected` - Full API support (create/edit branch protection endpoints) - Web UI settings page with radio buttons (none/all/whitelist) and user/team/deploy-key dropdowns - 12 new locale strings **Files changed (13):** `models/git/protected_branch.go`, `models/migrations/migrations.go`, `models/migrations/v1_27/v361.go`, `modules/structs/repo_branch.go`, `options/locale/locale_en-US.json`, `routers/api/v1/repo/branch.go`, `routers/private/hook_pre_receive.go`, `routers/web/repo/setting/protected_branch.go`, `services/convert/convert.go`, `services/forms/repo_form.go`, `services/repository/branch.go`, `templates/repo/settings/protected_branch.tmpl`, `CHANGELOG.md`
jmiller commented 2026-06-28 00:36:50 +00:00
Author
Owner
Copy Link
Copy Source

Implemented in PR #706 (merged to dev).

Changes (13 files, +345/-20):

  • 6 new fields on ProtectedBranch model: CanDelete, EnableDeleteAllowlist, DeleteAllowlistUserIDs/TeamIDs, DeleteAllowlistDeployKeys, DeleteAllowlistActionsUser
  • CanUserDelete() method — defaults to admin access when no allowlist (higher threshold than force-push which uses write access)
  • Migration v361 adds columns to protected_branch table
  • Pre-receive hook checks CanUserDelete instead of unconditionally blocking deletion
  • Branch service CanDeleteBranch uses allowlist-aware check
  • Full API support (create/edit branch protection endpoints)
  • Web UI with radio pattern (disable/enable all/allowlist) matching force-push section
  • 12 locale strings added
Implemented in PR #706 (merged to dev). **Changes (13 files, +345/-20):** - 6 new fields on `ProtectedBranch` model: `CanDelete`, `EnableDeleteAllowlist`, `DeleteAllowlistUserIDs/TeamIDs`, `DeleteAllowlistDeployKeys`, `DeleteAllowlistActionsUser` - `CanUserDelete()` method — defaults to admin access when no allowlist (higher threshold than force-push which uses write access) - Migration v361 adds columns to `protected_branch` table - Pre-receive hook checks `CanUserDelete` instead of unconditionally blocking deletion - Branch service `CanDeleteBranch` uses allowlist-aware check - Full API support (create/edit branch protection endpoints) - Web UI with radio pattern (disable/enable all/allowlist) matching force-push section - 12 locale strings added
Sign in to join this conversation.
Labels
Clear labels
breaking-change
Breaking API or behavior change
 ci-cd
CI/CD pipeline changes
 config
Configuration changes
 dependencies
Dependency updates
 deploy-failure
Deployment failed
 docker
Docker/container changes
 documentation
Documentation changes
 feature: wiki
Wiki system enhancements
 good first issue
Good for newcomers
 health-check
Repo health check result
 help wanted
Extra attention needed
 mokostandards
Related to MokoStandards framework
 push-failure
Git push operation failed
 security
Security vulnerability or hardening
 size/l
200-500 lines changed
 size/m
50-200 lines changed
 size/s
10-50 lines changed
 size/xl
500+ lines changed
 size/xs
< 10 lines changed
 standards-drift
Deviates from MokoStandards
 standards-update
MokoStandards compliance update
 sync-failure
Sync or mirror failed
 tech-debt
Technical debt and TODO/FIXME items
 upstream
upstream
Inherited from upstream Gitea
 work-in-progress
Draft or incomplete work
No labels
Priority Medium
Type Feature
Milestone
No items
No Milestone
Assignees
Clear assignees
jmiller (Jonathan Miller) moko-deploy (Moko Deploy Bot)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: MokoConsulting/MokoGitea-Fork#696
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?