doc/user/project/repository/branches/protected.md
{{< details >}}
{{< /details >}}
[!note] The Protected branches settings for projects will be removed. Configure protected branches from Settings > Repository > Branch rules instead.
Protected branches enforce specific permissions on branches in GitLab to ensure code stability and quality. Protected branches:
[!note] The default branch for your repository is protected by default. For more information about default branch settings, see default branch.
For information about how protection rules behave when a branch matches multiple rules or has complex permission requirements, see protection rules.
Configure protected branches for individual projects or for all projects in a group.
[!note] Group rules can't be modified in a project, but a project maintainer can create a separate rule for the same branch name. When both rules apply to the same branch, GitLab evaluates all matching rules together and applies the most permissive result for most settings. For more information, see rules across groups and projects.
Prerequisites:
To protect a branch:
[!note] In GitLab Premium and Ultimate, you can also add groups or individual users to Allowed to merge and Allowed to push and merge.
{{< details >}}
{{< /details >}}
{{< history >}}
group_protected_branches removed.{{< /history >}}
Group owners can create protected branches for a group. These settings apply to all projects in the group and can't be modified in a project.
Prerequisites:
To protect a branch for all projects in a group:
*).
Branch names and wildcards are case-sensitive.The Allowed to merge and Allowed to push and merge settings control different aspects of branch protection:
| Setting | Purpose | Default behavior (not configured) |
|---|---|---|
| Allowed to merge | Controls who can merge changes through merge requests and create new protected branches through the UI and API | No one can merge (unless they have Allowed to push and merge). |
| Allowed to push and merge | Controls who can push directly to existing protected branches and merge through merge requests | No one can push. |
[!note] Allowed to push and merge grants both push and merge capabilities. Users with this permission can merge through merge requests even without Allowed to merge permission.
When you select No one for either Allowed to merge or Allowed to push and merge, the UI clears other role selections. This behavior differs from the API, where you can set multiple access levels simultaneously. For more information about API behavior, see the Protected branches API.
Different branch types require different protection levels based on their purpose and security requirements.
For branches deployed to production environments:
With this configuration, all changes require merge requests with maintainer approval.
For active development branches:
With this configuration, developers can merge approved merge requests while requiring all changes to go through code review.
[!note] When Allowed to push and merge is not configured, it does not restrict push access. To prevent direct pushes, you must explicitly set Allowed to push and merge to No one.
The following examples show what users with the Developer role can do with different protection configurations:
| Allowed to merge | Allowed to push and merge | Direct push | Merge through MR |
|---|---|---|---|
| No one | Developers + Maintainers | {{< yes >}} | {{< yes >}} |
| Not configured | Developers + Maintainers | {{< yes >}} | {{< yes >}} |
| Developers + Maintainers | Not configured | {{< no >}} | {{< yes >}} |
| Not configured | Not configured | {{< no >}} | {{< no >}} |
| Maintainers | Not configured | {{< no >}} | {{< no >}} |
| Maintainers | Maintainers | {{< no >}} | {{< no >}} |
| Developers + Maintainers | Maintainers | {{< no >}} | {{< yes >}} |
Administrators can set a default branch protection level in the Admin area.
When using wildcards, multiple rules can apply to a single branch. If more than one rule applies to a branch, the most permissive rule controls how the branch behaves. For merge controls to work properly, set Allowed to push and merge to a broader set of users than Allowed to merge.
Prerequisites:
To protect multiple branches at the same time:
In the top bar, select Search or go to and find your project.
Select Settings > Repository.
Expand Branch rules.
Select Add branch rule > Branch name or pattern.
From the dropdown list, type the branch name and a wildcard (*).
Branch names and wildcards are case-sensitive. For example:
| Wildcard protected branch | Matching branches |
|---|---|
*-stable | production-stable, staging-stable |
production/* | production/app-server, production/load-balancer |
*gitlab* | gitlab, gitlab/staging, master/gitlab/production |
Select Create wildcard.
Select Create branch rule. You are directed to the Branch rule details page.
From the Protect branch section, choose one of the following options:
You can set various protection options to secure your branches.
You can force everyone to submit a merge request, rather than allowing them to check in directly to a protected branch:
You can allow everyone with write access to push directly to the protected branch.
{{< details >}}
{{< /details >}}
To set the members of a group or subgroup as Allowed to merge or Allowed to push and merge to a protected branch:
In the top bar, select Search or go to and find your project.
Select Settings > Repository.
Expand Branch rules.
Next to your branch, select View details.
In the Allowed to merge or Allowed to push and merge sections, select Edit.
Under Groups, search to add groups. For example:
# Allow group members to merge into this branch
Allowed to merge: @group-x
# Allow group members to push and merge into this branch
Allowed to push and merge: @group-x/subgroup-y
Select Save changes.
[!note] When you assign a group to a protected branch, only direct members of that group are included. Members from parent groups are not automatically granted permissions to the protected branch.
%%{init: { "fontFamily": "GitLab Sans" }}%%
graph TD
accTitle: Diagram of group inheritance for protected branches
accDescr: If a project is shared with a group, the group members inherit permissions for protected branches.
A[Parent group X] -->|owns| B[Project A]
A -->|contains| C[Subgroup Y]
B -->|shared with| C
C -->|members inherit permissions| B
In this example:
group-x) owns Project A.group-x/subgroup-y)The eligible groups for protected branch permissions are:
You can share the project with a group or subgroup so that their members are eligible for protected branch permissions.
%%{init: { "fontFamily": "GitLab Sans" }}%%
graph LR
accTitle: Diagram of project sharing for protected branch permissions
accDescr: Sharing a project with a group affects whether their members can have protected branch permissions.
A[Parent group X] -->|owns| B[Project A]
A -->|also contains| C[Subgroup Y]
C -.->D{Share Project A
with Subgroup Y?} -.->|yes| E[Members of Subgroup Y
can have protected
branch permissions]
D{Share Project A
with Subgroup Y?} -.->|no| F[Members of Subgroup Y
cannot have protected
branch permissions]
E -.->|Add Subgroup Y
to protected branch settings| I[Subgroup Y members
can merge/push] -.-> B
F -.-> |Add Subgroup Y
to protected branch settings| J[Settings will not
take effect] -.-> B
To grant access to Subgroup Y members for Project A, you must share the project with the subgroup. Adding the subgroup directly to the protected branch settings is not effective and isn't applicable to subgroup members.
[!note] For a group to have protected branch permissions, the project must be directly shared with the group. Inherited project membership from parent groups is not sufficient for protected branch permissions.
You can push to a protected branch with a deploy key.
Prerequisites:
To allow a deploy key to push to a protected branch:
Deploy keys are not available in the Allowed to merge dropdown list.
You can allow force pushes to protected branches.
To protect a branch and enable force push:
To enable force pushes on branches that are already protected:
{{< details >}}
{{< /details >}}
For a protected branch, you can require at least one approval by a code owner. If a branch is protected by multiple rules, code owner approval is required if Required approval from code owners enabled.
To protect a new branch and enable Code Owner's approval:
To enable Code Owner's approval on branches that are already protected:
When enabled, all merge requests for these branches require approval by a Code Owner per matched rule before they can be merged. Additionally, direct pushes to the protected branch are denied if a rule is matched.
Any user who is not specified in the CODEOWNERS file cannot push
changes for the specified files or paths, unless they are specifically allowed to.
You don't have to restrict developers from pushing directly to the
protected branch. Instead, you can restrict pushing to certain files where a review by
Code Owners is required.
Users and groups who are allowed to push to protected branches do not need a merge request to merge their feature branches. Thus, they can skip merge request approval rules, Code Owners included.
{{< details >}}
{{< /details >}}
When you protect a branch, you can also control who can unprotect it later. By default, users with the Maintainer or Owner role can unprotect protected branches.
For organizations with regulatory or compliance requirements, you can restrict these permissions to specific users, groups, or access levels.
[!note] To avoid permanently locking protection settings for a branch, ensure at least one user or group retains unprotect permissions for the branch at all times.
Users cannot create, modify, or delete protected branch settings unless they can unprotect the branch themselves. This safety mechanism is in place to prevent configuration errors.
You can configure these permissions through the API only. Use this feature for:
For information about valid access levels and constraints for unprotect permissions, see valid access levels.
The following table shows who can unprotect a branch based on your configuration:
| Configuration | Who can unprotect |
|---|---|
| Default behavior | Users with the Maintainer or Owner role |
| Specific users configured | Only designated users |
| Specific groups configured | Only members of designated groups |
| Multiple access levels configured | Any user, group, or role from the configured access levels |
The permission to merge or push to protected branches defines whether or not a user can run CI/CD pipelines and execute actions on jobs.
Merge request pipelines run on the source branch or a merge request reference based on the source branch. A pipeline isn't created if the user doesn't have permission to merge or push to the source branch.
When a merge request is between protected branches, protected variables and runners are available to the pipeline if the user has permission to update both the source and target branches. For more information, see control access to protected variables and runners.
Prerequisites:
To create a new branch with protections:
You can also use the Branches API to create a branch with protections.
If branch protection is configured to allow everyone to push directly to a protected branch, a branch with protections can also be created from the command line or a Git client application.
Users with the Maintainer or Owner role can manually delete protected branches by using the GitLab web interface:
You can only delete protected branches with the GitLab UI or API. You cannot delete protected branches with local Git commands or third-party Git clients.
For security and compliance, you may implement a merge request approval policy which affects settings otherwise defined in your instance, group, or projects. Policies may affect users ability to unprotect or delete branches, push or force push.
Branch names in git are case-sensitive. When configuring your protected branch,
or your target branch workflow,
dev is not the same DEV or Dev.