Make it possible for Duo service accounts to push first commit to a repository

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

It's quite a common scenario for users to create a new, empty repository and ask an AI Agent such as a Duo service account to implement the first iteration of a solution.

Unfortunately, if the service account only has Developer permissions, trying to push an initial a branch results in a 403 error:

{"message":"403 Forbidden - You are not allowed to push into this branch"}

It looks like when a repository is empty, GitLab looks at the group's Repository settings to determine whether a developer can push:

• https://gitlab.com/gitlab-org/gitlab/-/blob/86dd58fcd149947c23b8eb9b36216aa56e4661bf/app/models/protected_branch.rb#L47
• https://docs.gitlab.com/ee/user/project/repository/branches/default.html#protect-initial-default-branches

As the documentation states, the default of fully protected means:

Default value. Developers cannot push new commits, but maintainers can. No one can force push.

Setting the instance level default branch permission or pushing an initial commit works around the issue, but we want a more general, user-friendly scenario to avoid this.

Some ideas to fix this:

• Promote the service account to maintainer privileges (not ideal because this then allows them to do a lot more things).
• Give the service account some custom role that allows them to push initial commits (though this may not work with composite identities)
• ?