feat: org branch protection per-user (username/email) allowlists + actions-bot toggle (#727) #750
Reference in New Issue
Block a user
Delete Branch "feature/org-branch-protection-user-allowlists"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Adds individual-user allowlists (by username OR email) and an "allow actions bot" toggle to org-level branch protection — on top of the existing team-only allowlists. Requested as a pre-ship requirement for #733 ("email-based must work at the org level"). API-only (org branch protection has no web form); the API-bot toggle is deferred to #747.
Changes (9 files, +642/−11, on current dev)
models/git/org_protected_branch.go— addsWhitelistUserIDs/MergeWhitelistUserIDs/ForcePushAllowlistUserIDs/DeleteAllowlistUserIDs/ApprovalsWhitelistUserIDs([]int64) andWhitelistActionsUser/Merge / ForcePush / Deleteactions-user bools (approvals has no actions-user, matching repo-level).ToProtectedBranch()carries all 9 into enforcement.models/migrations/v1_27/v368.go) — additivex.Syncof the 9 columns; registered after 366.modules/structs/org_branch.go—*_whitelist_usernames+*_whitelist_actions_useron Create/Edit/response (same json names as repo-levelrepo_branch.go).routers/api/v1/org/branch_protection.go—resolveUserIDs(GetUserByName → GetUserByEmail fallback, dedupe, 422 on unknown); wired into Create/Edit gated on the sameEnable*flags as the team lists;toAPIOrgBranchProtectionrenders user IDs → usernames + the toggles.models/git/protected_branch_merge.go— newmergeAllowFlag(most-restrictive, enable-aware); the four actions-user flags now merge properly (supersedes the earlier #741 pass-through, which was a workaround for org being unable to express them). Deploy-keys stay pass-through (org still can't express them). User-ID lists already flow throughmergeAllowlist(intersection). + unit test.Enforcement semantics
ToProtectedBranch()carries the user IDs + toggles directly.mergeMostRestrictiveintersects user/team allowlists andmergeAllowFlags the actions-user toggle (both-enabled → AND; one-enabled → that side; neither → repo value, so no spurious lockout).Verification (local, Go 1.26.3, on dev base)
go build ./...→ exit 0 (independently confirmed, not masked);gofmt -lclean on all changed files.go test ./models/git/...→ ok (incl. the newmergeAllowFlag/ merge test).Note: an earlier attempt built against stale
mainand was discarded; this branch is verified based on currentdev(6c0c2c3f).Related: #727, #733 (release — this is its last blocker), #747 (API-bot toggle, later).
https://claude.ai/code/session_01Wsno14cxE49MstXFs9G5KT