Secure Source Manager is generally available (GA) by invitation only. To use Secure Source Manager, contact your Google Account team.

Configure branch protection

This page explains how to configure branch protection for Secure Source Manager repositories.

Branch protection lets repository administrators set rules to control who can make changes to branches, who needs to approve or review changes, and what conditions must be met before an approved change can be merged into a branch.

For more information about branch protection rules, see Branch protection overview.

Before you begin

Required roles

To get the permissions that you need to configure branch protection rules for a Secure Source Manager repository, ask your administrator to grant you the following IAM roles:

Secure Source Manager Instance Accessor (roles/securesourcemanager.instanceAccessor) on the Secure Source Manager instance
Secure Source Manager Repository Admin (roles/securesourcemanager.repoAdmin) on the Secure Source Manager repository
To approve pull requests on protected branches in any repository in a Secure Source Manager instance:
- Secure Source Manager Repository Pull Request Approver (roles/securesourcemanager.repoPullRequestApprover) on the Google Cloud project for the instance
- Secure Source Manager Repository Writer (roles/securesourcemanager.repoWriter) on the Google Cloud project for the instance
To approve pull requests on protected branches in a single repository:
- Secure Source Manager Repository Pull Request Approver (roles/securesourcemanager.repoPullRequestApprover) on the repository
- Secure Source Manager Repository Writer (roles/securesourcemanager.repoWriter) on the repository

For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

For information on granting Secure Source Manager roles, see Access control with IAM and Grant users instance access.

Create a branch protection rule

To create a new branch protection rule, do the following:

In the Secure Source Manager web interface, select the repository you want to protect with a branch protection rule.
From the repository page, click Settings.
Click the Branch rule tab.
Click Add branch rule.
In the Branch rule ID field, enter a name for the branch rule.

Branch rule IDs are restricted to lower-case letters, numbers, and hyphens. The first character must be a letter, and the last character must be a letter or a number. Branch rule IDs have a 63 character maximum.
In the Branch filter field, enter the name of the branch you want the rule to apply to, or if you want the rule to apply to all branches, enter .*. Full regular expression matching is not supported.

Enabled branch rule filters must be unique to their repository. Users can have multiple disabled branch rule filters. For example, you can't have two enabled branch rules in a single repository with the branch filter main.

When multiple rules are applicable for a branch, the branch rule with a specific branch name as the branch filter will override the wildcard rule. For example, a branch rule with branch filter main will override a branch rule with the branch filter .*. Rules are not combined.
In the Branch protection rule details section, specify the requirements for your branch rule from the following options:
- Require a pull request before merging: if enabled, direct commits to the branch will be blocked. A pull request must be opened before merging into the protected branch.
  
  Note: You can't apply this rule to all branches using .*, because that would prevent pushing directly to all branches, even new branches.
- Required number of reviewers: specify the number of reviewers required to approve in order to merge the pull request.
- Required number of approvers: specify the number of approvers required to approve in order to merge the pull request.
  
  Reviewers and approvers are users with specific IAM roles. To learn which roles are required for reviewers and approvers, see Branch protection overview.
- Block merge on stale reviews and approvals: if enabled, a review or approval is removed if new commits are pushed to the pull request after the review or approval is granted.
- Require conversation resolution before merging: if enabled, all code comments and request change reviews must be resolved before merging.
- Require linear history: if enabled, pull requests that would create a non-linear Git history can't be merged.
- Require status checks: if enabled, the selected build status checks must be successful before a pull request can be merged. You must configure triggers in your triggers file before you can select them as status checks for branch protection.
To save the branch rule, click Submit.

The Branch rules tab is displayed, with your new branch rule listed.

Modify a branch protection rule

To modify a branch protection rule, do the following:

In the Secure Source Manager web interface, select the repository with the branch protection rule you want to modify.
From the repository page, click Settings.
Click the Branch rules tab.
Click the name of the branch rule you want to modify.
Edit the branch protection rule.
Click Update.

The branch protection rule is updated.

Delete a branch protection rule

To delete a branch protection rule, do the following:

In the Secure Source Manager web interface, select the repository that you want to remove the branch rule from.
From the repository page, click Settings.
Click the Branch rule tab.
In the row of the rule you want to delete, click the Delete icon.
In the Remove branch rule confirmation screen, click Yes.

The branch protection rule is deleted.

What's next

Read the Branch protection overview.
Learn how to automate builds by following the steps in Connect to Cloud Build.
Learn how to check the status of automated builds.