My company has allowed my team to set up a Stash v3.9.1 instance with Bamboo v5.8.1 as our CI. Recently, we have spent time designing a method for our Git repository management which includes automatically merging feature branches into our development branch upon passing the CI testing.
Now we wish to somewhat enforce this plan by only allowing Bamboo to directly write to the Development branch. Basically, developers (non-administrators) will not be able to push directly to the Development branch or merge directly into the development branch. Only Bamboo will be able to complete the merge once the tests are passed. This is to encourage the use of feature branches and allowing the CI to run before merging code into the main Development branch. I'm currently using the Bamboo "Gatekeeper" automatic merging method to handle these merges, with all branches starting with "feature/" being automatically merged.
My problem comes in when I try to lock down the Branch Permissions of the Development branch to only allow Bamboo to write. Since the Branch Permissions calls for a list of users which can read and write and we're using cyclic application links between Bamboo and Stash, the is no "Bamboo" user in our system and I can't add Bamboo to the list of approved writers. I attempted to simply create a branch permission which allowed no users in hopes that Bamboo would bypass it, but that didn't work.
Put simply, how can I create a Development branch with Stash v3.9.1 which only allows the Bamboo v5.8.1 server to write changes, and forbids direct changes from users?
If I understand correctly you need to authenticate Bamboo to Stash as a real user. You can set up the application link between Bamboo and Stash based on Basic Auth (username+password). See also https://confluence.atlassian.com/display/BAMBOO/Configuring+Stash+build+status+notifications
I've alread created the application link between Bamboo and Stash. This allowed me to get things like build results to appear in Stash. This is great, but the nature of creating the application link seems to make it so that it is not required for Bamboo to actually have a Stash user in order to make changes to Stash. Bamboo seems to generate a UUID and uses that instead of a username. As I understand it, the whole point of creating the application link is to bypass the need for Bamboo to have a designated Stash user, at least in this latest version of Stash. Thus when the Branch Permissions menu asks for a list of users, there is none for Bamboo. This is the root of the problem. I can't configure the Branch Permissions specifically for Bamboo because the application link makes it unnecessary for it to have a username.
Documentation mentioned by @Ulrich Kuhnhardt [Izymes] is outdated (i've just added a comment).
Word of explanation how Bamboo-Stash integration works: when you configure a Stash repository (for the first time) you need to do the OAuth dance when you login into Stash and allow Bamboo to access Stash as user X. When you click "Save" in your repository configuration Bamboo will generate a SSH keypair and will upload public key to personal SSH keys of a user X in Stash. Then all checkouts and pushes will be run using this SSH keypair.
In order to fix it you'd have to:
Say you have a service account "abc" in bamboo, and we use the ssh key of abc to checkout code from bamboo. In Stash, you allow branch permissions to for only user abc to write to master branch. This didnt work. I then created an internal user in stash called "abc" and played around with that. But those things didnt seem to work for me yet
Did you ever get a proper answer to this question?
I'm currently trying to do the same-ish thing at our client now, where we want to implement a release-process for the code, but we're not able to push to a branch in Stash with branch permissions set.
Any input would be highly appreciated!
Bitbucket Pipelines helps me manage and automate a number of serverless deployments to AWS Lambda and this is how I do it. I'm building Node.js Lambda functions using node-lambda ...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs
We're bringing product updates and pro tips on teamwork to ten cities around the world.Save your spot