Disable Initial Commits from Maintainers

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Problem

A large Ultimate, Self-Managed customer reported the following issue: Currently, GitLab's branch protection settings allow Maintainers to bypass protection rules for initial commits to new repositories. This creates a security compliance gap where:

• Initial commits can bypass branch protection rules, code review processes, and security policies
• Organizations cannot enforce consistent security frameworks from the first commit
• Compliance requirements for regulated industries cannot be met when initial commits bypass established workflows
• Security policies applied to protected branches don't apply to the most critical initial setup phase

Proposal

Add a new branch protection option (could be called: "Fully protected including initial commits") to prevent users with Maintainer role from making initial commits to new projects, requiring all initial code to go through merge requests and branch protection workflows.

Behavior Definition

When "Fully protected including initial commits" is selected:

• No user, regardless of role (Developer, Maintainer, or Owner), can push directly to the default branch
• All commits, including initial commits, must go through merge requests
• Branch protection rules apply from the moment of repository creation
• Code review, approval workflows, and security policies are enforced for all commits