Gerrit - how to disallow direct push to "master" but allow to other branches

Question

I want to set up configuration described below:

• Registered user can not push his changes directly to master. He has to push these changes for review:

  git push origin master - it should be rejected by Gerrit (origin = Gerrit)

  git push origin HEAD:refs/for/master - it should be allowed by Gerrit

• Registered user can create a new branch. This branch will be treated as a backup and a way of cooperation between two or more developers so it shouldn't be reviewed.

  git push origin xyz_abc - it should be allowed by Gerrit

How should I configure Gerrit to achieve such functionality ?

Answer 1

There are no good instructions anywhere, so thought I'd document the steps here.

1. Navigate to your project's Access page

Projects > List > your_project > Access

2. Edit Access

Click the Edit button

3. Add Reference to refs/heads/*

This is the reference for all direct pushes. We're going to configure who can do what to this path.

Click "Add Reference" and type in 'refs/heads/*' (no quotes)

4. Deny the "Push" permission

The Push permission is the one which controls who can make direct pushes. Merge pushes and pushes to Gerrit will still be allowed (see notes below).

1. Click "Add Permission" and select "Push".
2. Select the user group you want to deny push from (you can type in "Registered Users" if you want to block everyone)
3. Choose "DENY" from the dropdown that appears once you've added your user group

5. Save Changes

And you're done. The finished config should look something like this:

---

Note

If this doesn't work, make sure you have the Push permission set to ALLOW on refs/for/refs/* - this is the permission which allows pushes to Gerrit.