Gitea Community - auto-protect default branch

Install/Maintain/Configure

Vasiliy April 23, 2024, 8:46pm 1

For every repo we need the default branch (main/master) to be protected (no direct changes).
Could not find a config option, created a SQL trigger to automatically protect the default branch of every repository in the Gitea with SQL Server DB:

1. The trigger is created on the repository table and executed after INSERT or UPDATE.
2. Inserts rows into the protected_branch table for each repository’s default branch that is not already protected.
3. Hardcoded column values of the protected_branch table:

• repo_id: The ID of the repository.
• branch_name: The name of the default branch.
• enable_whitelist: An empty string indicating that the whitelist is not enabled.
• whitelist_user_i_ds, whitelist_team_i_ds, merge_whitelist_user_i_ds, merge_whitelist_team_i_ds, status_check_contexts, approvals_whitelist_user_i_ds, approvals_whitelist_team_i_ds: These columns are set to 'null' as placeholders.
• required_approvals: Set to 1, indicating that at least one approval is required for merging.
• protected_file_patterns: Set to '*.*', which means all files are protected.
• unprotected_file_patterns: An empty string indicating no unprotected file patterns.
• created_unix, updated_unix: The current timestamp in Unix format (seconds since ‘1970-01-01 00:00:00’).

4. The WHERE clause in the SELECT statement checks if there is no existing protected branch entry for the repository’s default branch using a correlated subquery. This ensures that a new protected branch entry is only inserted if it doesn’t already exist.

The trigger is executed automatically whenever a new repository is inserted or an existing repository is updated in the repository table.

– =============================================
– Author: Vasiliy Goncharenko
– Create date: 2024.04.23
– Description: Make every Gitea ‘default’ branch as protected
– =============================================
CREATE OR ALTER TRIGGER dbo.repository_mark_default_branch_as_protected ON repository
AFTER INSERT,UPDATE
AS
BEGIN
SET NOCOUNT ON;

-- Make every Gitea 'default' branch as protected (if added as a trigger into repository)
INSERT INTO protected_branch (repo_id, branch_name, enable_whitelist, whitelist_user_i_ds, whitelist_team_i_ds, merge_whitelist_user_i_ds, merge_whitelist_team_i_ds, status_check_contexts, approvals_whitelist_user_i_ds, approvals_whitelist_team_i_ds, required_approvals, protected_file_patterns, unprotected_file_patterns, created_unix, updated_unix)
SELECT r.id, r.default_branch, '', 'null', 'null', 'null', 'null', 'null', 'null', 'null', 1, '*.*', '', DATEDIFF(second, '1970-01-01 00:00:00', GETDATE()), DATEDIFF(second, '1970-01-01 00:00:00', GETDATE())
FROM repository r
WHERE NOT EXISTS (
	SELECT 1
	FROM protected_branch pb
	WHERE pb.repo_id = r.id AND pb.branch_name = r.default_branch
);

END
GO

Jefry-nolastname January 23, 2025, 7:15am 2

Thankyou, this trigger actually very useful and I wish this post could be pinned as a must have. This feature shouldn’t have to be exclusive to the enterprise version since main/primary branch should be protected by default to avoid conflicts.

Related topics

Topic		Replies	Views	Activity
Create Branch with wildcard protection Gitea Usages	5	4510	January 29, 2024
Templates with branch security Install/Maintain/Configure	0	1517	March 2, 2021
Help with: This repository doesn’t have any branches Gitea Usages	1	295	January 21, 2025
Disallow users to set master branch protection Install/Maintain/Configure	0	546	January 11, 2019
Branch Protection doesn't work Gitea Usages	1	839	May 11, 2024