MokoConsulting/MokoGitea-APP
1
0
Fork 0
Code Issues 158 Pull Requests 3 Releases 96 Wiki Activity

feat: allow API to bypass branch protections with elevated token #222

New Issue
Open
opened 2026-05-26 20:23:09 +00:00 by jmiller · 0 comments
jmiller commented 2026-05-26 20:23:09 +00:00
Owner
Copy Link
Copy Source

Summary

Add a mechanism for the API to bypass branch protection rules when using an appropriately scoped token or admin-level credentials. This would allow automation (CI/CD pipelines, release tooling, Claude Code) to push directly to protected branches when needed without disabling protections for human users.

Motivation

Branch protections are essential for human workflows, but automated pipelines (e.g. release promotion, hotfix merges, backports) sometimes need to push to protected branches. Currently there is no way to do this via the API without temporarily disabling protections, which creates a security window.

Proposed Behavior

  • Admin tokens or tokens with a specific scope (e.g. repo:bypass-protection) can push/merge to protected branches via the API
  • Web UI protections remain enforced for all users
  • Audit log entries should clearly indicate when a bypass was used

References

  • GitHub supports this via "Allow specified actors to bypass required pull requests" in branch protection rules

Opened by Claude Code on behalf of @jmiller

## Summary Add a mechanism for the API to bypass branch protection rules when using an appropriately scoped token or admin-level credentials. This would allow automation (CI/CD pipelines, release tooling, Claude Code) to push directly to protected branches when needed without disabling protections for human users. ## Motivation Branch protections are essential for human workflows, but automated pipelines (e.g. release promotion, hotfix merges, backports) sometimes need to push to protected branches. Currently there is no way to do this via the API without temporarily disabling protections, which creates a security window. ## Proposed Behavior - Admin tokens or tokens with a specific scope (e.g. `repo:bypass-protection`) can push/merge to protected branches via the API - Web UI protections remain enforced for all users - Audit log entries should clearly indicate when a bypass was used ## References - GitHub supports this via "Allow specified actors to bypass required pull requests" in branch protection rules --- *Opened by Claude Code on behalf of @jmiller*
Sign in to join this conversation.
Labels
Clear labels
breaking-change
Breaking API or behavior change
 ci-cd
CI/CD pipeline changes
 config
Configuration changes
 dependencies
Dependency updates
 deploy-failure
Deployment failed
 docker
Docker/container changes
 documentation
Documentation changes
 good first issue
Good for newcomers
 health-check
Repo health check result
 help wanted
Extra attention needed
 mokostandards
Related to MokoStandards framework
 push-failure
Git push operation failed
 security
Security vulnerability or hardening
 size/l
200-500 lines changed
 size/m
50-200 lines changed
 size/s
10-50 lines changed
 size/xl
500+ lines changed
 size/xs
< 10 lines changed
 standards-drift
Deviates from MokoStandards
 standards-update
MokoStandards compliance update
 sync-failure
Sync or mirror failed
 tech-debt
Technical debt and TODO/FIXME items
 upstream
upstream
Inherited from upstream Gitea
 work-in-progress
Draft or incomplete work
No labels
Priority Medium
Type Feature
Milestone
No items
No Milestone
Assignees
Clear assignees
jmiller (Jonathan Miller) moko-deploy (Moko Deploy Bot)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: MokoConsulting/MokoGitea-APP#222
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?