Skip to content

Update release create and update permissions to be Maintainer or higher

Proposal

Update the permissions for release creation and updating to require at least Maintainer permission.

Currently, releases can be created and edited by Developers, but only Maintainers can delete a release.

Why?

  • This makes the permissions more consistent - the same level of permission is required for all actions that mutate releases (create, edit, and delete)
  • Removes the case where developers create a release they can't delete
  • Lines up with what most projects would expect
    • For example, currently any developer at GitLab can create or edit our Releases page, which is a little bit too open for comfort.
  • Will automatically fix #220863 (closed) as a byproduct.

Some downsides/things to consider

  • This change would break workflows that rely on Developer users manually creating releases, or use Developer tokens to automatically create releases in CI
  • This change moves us out of alignment with GitHub, which only requires Developer permissions to create/edit releases.
    • Note: We are already somewhat out of alignment with GitHub in that deleting releases is restricted to Maintainers

Discussion

#220863 (comment 481974147)

Edited by Nathan Friend