Allow group-level default branch protection settings to cascade to all subgroups and projects

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Proposal

For group-level default branch protection settings: add options for the setting to cascade down to all 1) existing, and 2) future subgroups and projects.

Current behavior on GitLab.com

• Default branch protection settings on a group only apply to direct repositories in that group, and only to repositories created after the setting has been updated.
  • To make the setting consistent across all existing subgroups and projects, you have to manually change the setting on each subgroup/project, one-by-one
• Regardless of the default branch protection setting on a parent group, newly created subgroups are always set to Fully protected.

Current behavior on self-managed

Admins of self-managed instance can control instance-level default branch protection settings, and can choose whether to allow group owners to override the setting for their group. But, this only partially resolves the problem: group owners on self-managed instance still can't choose to propagate their default branch protection setting to their subgroups or projects.

Desired Behavior

• Group and subgroup owners can choose to propagate the default branch protection setting to:
  • new subgroups and projects
  • existing subgroups and projects
• Group and subgroup owners can choose whether these cascading settings are enforced or can be overridden.

Problem to solve

1. When a customer wants to change their default branch protections on existing groups/subgroups and projects, they either need to go one-by-one in the UI or write a custom script to update the setting in each subgroup and project.
2. When a customer wants a consistent default branch protection setting on any new subgroups, they have to implement a clunky workaround (for example, setting up a subgroup events webhook that triggers a pipeline which updates the default branch protection setting).

Both of these limitations result in a tedious and time-consuming process, and it doesn't provide a good user experience.

Intended users

1. SaaS customers who want to establish and/or enforce a consistent workflow across all of their projects
2. Self-managed and SaaS customer who want to establish and/or enforce on a subset of their groups/subgroups and projects.

Related epics and issues

• Settings Management for Organization, Group and Project levels (epic)
• Cascading pattern for settings (epic)

Questions

• Should this be split into multiple feature requests?
  1. Apply the group-level default branch protection setting to existing subgroups and projects
  2. Create option in SaaS to enforce group-level default branch protection setting
  3. Cascade group-level default branch protection setting to all future subgroups and projects