Forums

Articles
Create
cancel
Showing results for 
Search instead for 
Did you mean: 

Locking down access to a repository branch

Dawn Garner
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
November 8, 2018

Hi all,

Due to confidential nature of a new project (must be approved and sign NDA to work on it), we need a way to lock down a branch so that it can't be viewed by some of the members of our development team. This means not even read access. I have not found a way to do this other than creating a fork (which then adds a number of additional complexities and unknowns that we are not excited about). Is there a workaround that anyone has come across? Some way to even set up password access for a branch or something?

Suggestions are much appreciated.

Thanks, 

Dawn

1 answer

1 accepted

1 vote
Answer accepted
Julius Davies [bit-booster.com]
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
November 9, 2018

 

You cannot have branches in Git that are invisible to some people.

You'd have to implement this by using a fork.   

 

 

Question:  would this secret branch ever merge back into master or other mainline branches?  

Dawn Garner
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
November 9, 2018

Thanks so much for the info - was afraid of that.

Yes, we do need to merge it back in to the master upstream branch once the project is completed. Plus we have other ongoing projects happening off of that master upstream branch. This is the nightmare scenario I was hoping to avoid.

I haven't found much information online yet on how to efficiently handle this issue, but I would think other companies out there would have this same need - was hoping to find a creative workaround someone else had figured out.

Julius Davies [bit-booster.com]
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
November 9, 2018

 

The moment you merge back into the original 'master' branch, all the work (up to the point of the merge) will become visible to everyone in the original repository.  Are you okay with that?

Is the main problem keeping the fork's master in-sync with upstream master?  To keep the fork up to date, I would recommend the following setup:

1.  In the fork's config, make 'master' read-only except for a special service account (don't let the secret project team push or merge to 'master').

2.  Setup a clone on a restricted server somewhere that has access to both upstream and the fork and has the special "service account" credentials to push to fork/master.  Something like this:

git clone --bare [original-clone-url]
cd [original-clone.git]
git remote add fork [fork-clone-url]

 

3. On that same restricted server setup a cron job that runs every minute and just does the following over and over again, once per minute!

git fetch origin
git push --force origin/master:fork/master

 

That will keep the fork's 'master' always identical to upstream's master.  The secret project work would need to happen on a different branch, but they can take merges from fork/master or rebase on top of fork/master whenever they like.  (And they should probably do so often).

Good luck!

  

Like Dawn Garner likes this

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events