1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
|
---
stage: Create
group: Code Review
info: "To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments"
---
<!-- vale gitlab.FutureTense = NO -->
# Tutorial: Build a protected workflow for your project **(FREE ALL)**
When your team starts a new project, they need a workflow that balances efficiency
with appropriate reviews. In GitLab, you can create user groups, combine those
groups with branch protections, and then enforce those protections with approval rules.
This tutorial sets up protections for Excelsior Project's `1.x` and `1.x.x`
release branches, and creates a minimal approval workflow for the project:
1. [Create the `engineering` group](#create-the-engineering-group)
1. [Create subgroups in `engineering`](#create-subgroups-in-engineering)
1. [Add users to the subgroups](#add-users-to-the-subgroups)
1. [Create the Excelsior project](#create-the-excelsior-project)
1. [Add a basic CODEOWNERS file](#add-a-basic-codeowners-file)
1. [Configure approval rules](#configure-approval-rules)
1. [Enforce CODEOWNER approval on branches](#enforce-codeowner-approval-on-branches)
1. [Create the release branches](#create-the-release-branches)
## Before you begin
- You must have the Maintainer or Owner role.
- You need a list of managers and their email addresses.
- You need a list of your backend and frontend engineers, and their email addresses.
- You understand [semantic versioning](https://semver.org/) for branch names.
## Create the `engineering` group
Before setting up Excelsior Project, you should create a group to own
the project. Here, you'll set up the Engineering group:
1. On the left sidebar, at the top, select **Create new...** (**{plus}**) and **New group**.
1. Select **Create group**.
1. For **Group name**, enter `Engineering`.
1. For the **Group URL**, enter `engineering`.
1. Set the **Visibility level** to **Private**.
1. Personalize your experience so GitLab shows the most helpful information to you:
- For **Role**, select **System administrator**.
- For **Who will be using this group?** select **My company or team**.
- For **What will you use this group for?** select **I want to store my code**.
1. Skip inviting members to the group. You'll add users in a later section of this tutorial.
1. Select **Create group**.
Next, you'll add subgroups to this `engineering` group for more granular control.
## Create subgroups in `engineering`
The `engineering` group is a good start, but Excelsior Project's
backend engineers, frontend engineers, and managers
have different tasks, and different areas of specialty.
Here, you'll create three more granular subgroups in the Engineering group to
segment users by the type of work they do: `managers`, `frontend`, and `backend`.
Then you'll add these new groups as members of the `engineering` group.
First, create the new subgroup:
1. On the left sidebar, select **Search or go to**
and search for `engineering`. Select the group named `Engineering`:
1. On the overview page for the `engineering` group, in the upper-right corner,
select **New subgroup**.
1. For the **Subgroup name**, enter `Managers`.
1. Set the **Visibility level** to **Private**.
1. Select **Create subgroup**.
Next, add the subgroup as a member of the `engineering` group:
1. On the left sidebar, select **Search or go to**
and search for `engineering`. Select the group named `Engineering`.
1. On the left sidebar, select **Manage > Members**.
1. On the top right, select **Invite a group**.
1. For **Select a group to invite**, select `Engineering / Managers`.
1. When adding the subgroups select the role **Maintainer**.
This configures the highest role a member of the subgroup can inherit when accessing the `engineering` group and its projects.
1. Optional. Select an expiration date.
1. Select **Invite**.
Repeat this process to create subgroups for `backend` and `frontend`. When you're done,
search for the `engineering` group one more time. Its overview page should show
three subgroups, like this:
## Add users to the subgroups
In the previous step, when you added your subgroups to the parent group (`engineering`), you limited
members of the subgroups to the Maintainer role. This is the highest role they can inherit
for projects owned by `engineering`. As a result:
- User 1 is added to the `manager` subgroup with the Guest role, and receives
the Guest role on `engineering` projects.
- User 2 is added to the `manager` group with the Owner role. This role is higher
than the maximum role (Maintainer) you set, so User 2 receives the Maintainer
role instead of Owner.
To add a user to the `frontend` subgroup:
1. On the left sidebar, select **Search or go to**
and search for `frontend`. Select the `Frontend` group.
1. Select **Manage > Members**.
1. Select **Invite members**.
1. Fill in the fields. Select the **Developer** role by default, increasing it
to **Maintainer** if this user reviews the work of others.
1. Select **Invite**.
1. Repeat these steps until you've added all of the frontend engineers into the
`frontend` subgroup.
Now do the same with the `backend` and `managers` groups. The same user can be a
member of multiple subgroups.
## Create the Excelsior project
Now that your group structure is in place, create the `excelsior` project
for the teams to work in. Because both frontend and backend engineers
are involved, `excelsior` should belong to `engineering` instead of any of the
smaller subgroups you just created.
To create the new `excelsior` project:
1. On the left sidebar, select **Search or go to** and
search for `engineering`. Select the group named `Engineering`.
1. On the overview page for the `engineering` group, on the left sidebar, at the top,
select **Create new...** (**{plus}**) and **In this group > New project/repository**.
1. Select **Create blank project**.
1. Enter the project details:
- In the **Project name** field, enter `Excelsior`. The **Project slug** should
auto-populate with `excelsior`.
- For **Visibility Level**, select **Public**.
- Select **Initialize repository with a README** to add an initial file to the repository.
1. Select **Create project**.
GitLab creates the `excelsior` project for you, and redirects you to its homepage.
It should look like this:
You'll use a feature on this page in the next step.
## Add a basic CODEOWNERS file
Add a CODEOWNERS file to the root directory of your project to route reviews to
the right subgroup. This example sets up four rules:
- All changes should be reviewed by someone in the `engineering` group.
- A manager should review any change to the CODEOWNERS file itself.
- Frontend engineers should review changes to frontend files.
- Backend engineers should review changes to backend files.
NOTE:
GitLab Free supports only optional reviews. To make reviews required, you need
GitLab Premium or Ultimate.
To add a CODEOWNERS file to your `excelsior` project:
1. On the left sidebar, select **Search or go to** and
search for `Excelsior`. Select the project named `Excelsior`.
1. Next to the branch name, select the plus icon (**{plus}**), then **New file**:
1. For **Filename**, enter `CODEOWNERS`. This will create a file named `CODEOWNERS`
in the root directory of your project.
1. Paste this example into the editing area, changing `@engineering/` if it
does not match your group structure:
```plaintext
# All changes should be reviewed by someone in the engineering group
* @engineering
# A manager should review any changes to this file
CODEOWNERS @engineering/managers
# Frontend files should be reviewed by FE engineers
[Frontend] @engineering/frontend
*.scss
*.js
# Backend files should be reviewed by BE engineers
[Backend] @engineering/backend
*.rb
```
1. For a **Commit message**, paste in:
```plaintext
Adds a new CODEOWNERS file
Creates a small CODEOWNERS file to:
- Route backend and frontend changes to the right teams
- Route CODEOWNERS file changes to managers
- Request all changes be reviewed
```
1. Select **Commit changes**.
The CODEOWNERS file is now in place in the `main` branch of your project, and
available for all future branches created in this project.
## Configure approval rules
The CODEOWNERS file describes the appropriate reviewers for directories and
file types. Approval rules direct merge requests to those reviewers.
Here, you will set up an approval rule that uses the information in your new CODEOWNERS
file and adds protection for release branches:
1. On the left sidebar, select **Settings > Merge requests**.
1. In the **Merge request approvals** section, scroll to **Approval rules**.
1. Select **Add approval rule**.
1. Create a rule named `Enforce CODEOWNERS`.
1. Select **All protected branches**.
1. To make the rule required in GitLab Premium and GitLab Ultimate,
set the **Approvals required** to `1`.
1. Add the `managers` group as approvers.
1. Select **Add approval rule**.
1. Scroll to **Approval settings** and make sure
**Prevent editing approval rules in merge requests** is selected.
1. Select **Save changes**.
When added, the `Enforce CODEOWNERS` rule looks like this:
## Enforce CODEOWNER approval on branches
You've configured several protections for your project, and you're now ready to
combine those protections together to safeguard your project's important branches:
- Your users are sorted into logical groups and subgroups.
- Your CODEOWNERS file describes the subject matter experts for file types and directories.
- Your approval rule encourages (in GitLab Free) or requires (in GitLab Premium and GitLab Ultimate)
the subject matter experts to review changes.
Your `excelsior` project uses [semantic versioning](https://semver.org/) for
release branch names, so you know the release branches follow the pattern `1.x`
and `1.x.x`. You want all code added to these branches to be reviewed by subject
matter experts, and for managers to make the final decision on what work is merged
into the release branch.
Rather than create protections for a branch at a time, configure wildcard branch rules
to protect multiple branches:
1. On the left sidebar, select **Settings > Repository**.
1. Expand **Protected branches**.
1. From the **Branch** dropdown list, type `1.*`, and then select **Create wildcard `1.*`**.
1. To require everyone to submit merge requests, rather than pushing commits directly:
1. Set **Allowed to merge** to **Maintainers**.
1. Set **Allowed to push and merge** to **No one**.
1. Leave **Allowed to force push** disabled.
1. In GitLab Premium and GitLab Ultimate, to require Code Owners to review changes
to files they work on, toggle **Require approval from code owners**.
1. Select **Protect**.
1. In the table of branches, find the rule marked as `Default`. (Depending on
your version of GitLab, this branch may be named `main` or `master`.) Set the
values for this branch to match the settings you used for the `1.*` rule.
Your rules are now in place, even though no `1.*` branches exist yet:
## Create the release branches
Now that all branch protections in place, you're ready to create your 1.0.0 release branch:
1. On the left sidebar, select **Code > Branches**.
1. On the top right, select **New branch**. Name it `1.0.0`.
1. Select **Create branch**.
The branch protections are now visible in the UI:
- On the left sidebar, select **Code > Branches**. In the list of branches,
branch `1.0.0` should be show that it is protected:
- On the left sidebar, select **Settings > Repository**, then expand **Branch rules**
to see details about all protected branches:
Congratulations! Your engineers can work independently in their feature branches,
and all code submitted for consideration for the 1.0.0 release branch will
be reviewed by subject matter experts.
|
