Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Commits to a private repo

Fernando Martinez
Fernando Martinez
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
February 17, 2025

 

Hi, I have a small team of 5 developers on a free plan and some private repositories Recently I noticed any user can push code to my repositories no matter if it has permission or not.

Workspace is private, project is private, repository is private

How this can be possible?

Do I need to add this check to the repository?:

"Require all commits pushed via the CLI have a verified signature"

Whats the poupose of asign user/permissions to a private repository if anybody can push code to it?

Answer
Watch
Like Be the first to like this
40 views

1 answer

0 votes
Patrik S
Patrik S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 18, 2025

Hi @Fernando Martinez ,

and welcome to the Community!

It sounds like there's some confusion regarding how Git and Bitbucket handle commits and push permissions.

First, it's important to understand the difference between the commit author and the user who authenticates a push.

The author of a commit is determined by the local Git configuration on the user's machine, meaning anyone can set their name and email to anything they want in their Git configuration.

This information shows up as the author of the commit in the UI. However, the ability to push commits to a repository is controlled by Bitbucket's access permissions. For a private repository, only users who have been explicitly granted access can authenticate and push changes to it. This authentication process is separate from the commit author information.

 

Since your repository is private, only users with the correct permissions can push to it. If someone without access attempts to push, they should be prompted for authentication and will be denied access if they fail to authenticate correctly.

The option to "Require all commits pushed via the CLI to have a verified signature" adds an additional layer of verification to ensure the authenticity of commits. This feature verifies that commits are signed with a GPG key that you trust. While this adds extra security in verifying the authorship of commits, it does not directly affect who can push to the repository. It ensures that the commits themselves are trusted and verified, but push permissions are still managed by Bitbucket's access controls.

If you are experiencing a situation where it seems like unauthorized users are pushing to your repository, I would recommend first checking with your developers on how they have currently configured their local copy of the repository, to make sure the name and email provided in the local git config matches with their account. This should help to avoid any confusion while checking the commit list in the UI.

Thank you, @Fernando Martinez !

Patrik S

Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events