What are the best practices for setting up and for securing all aspects of a BitBucket Mercurial repo (hosted on bitbucket.org), including access, ensuring simplified commit histories and branch heads, etc.?
For pushes, can I:
- Forbid creating more than one head per branch
- Forbid commits from users whose user name does not exactly match a BitBucket account, either matching by email address alone, or also including the full name? Can I restrict the email address (& possibly full name) to that of the approved BitBucket account at the time when that account was authorized (i.e., the BitBucket account email address and full name cannot have changed)
- Require that all commits are digitally signed, either via the Commitsigs extension, or via some other mechanism
- Require that all pushed heads build successfully, pass all tests, and conform to formatting / linting standards
- Use the ACL extension to allow / deny access to particular users for particular files
- Require that no files that match any .hginore patterns are ever committed
Obviously there are other components of setup & security. It would be great to compile a comprehensive guide. Other potential practices include:
- requiring two-factor authentication
- requiring ed25519 ssh keys
- enabling ssh compression
- assigning repos to projects within teams
