Hi folks,
In our deployment, Registered Users have read access on "refs/*" on all projects (i.e. via "All-Projects" project's access controls).
For one particular repo, I would like a specific group to only have read access to "refs/heads/main" of that repo -- i.e. if a user of that group runs `git clone --mirror <repo-url>` (or `git ls-remote <repo-url>` in an existing clone), all they get is "refs/heads/main".
So far, I have not found a way to grant that access without also granting read access to at least refs/changes/*.
A few things I've tried without success in the project.config of that specific repo:
Attempt 1 - DENY all & ALLOW the more specific ref:
[access "refs/*"]
read = deny group GroupWithLimitedAccess
[access "refs/heads/main"]
read = group GroupWithLimitedAccess
Attempt 2 - BLOCK all & override the specific ref with an exclusive ALLOW:
[access "refs/*"]
read = block group GroupWithLimitedAccess
[access "refs/heads/main"]
exclusiveGroupPermissions = read
read = group Registered Users Attempt 3 - explicitly BLOCK the namespaces I want to hide:
[access "refs/changes/*"]
read = block group GroupWithLimitedAccess
[access "refs/users/*"]
read = block group GroupWithLimitedAccess
[access "refs/cache-automerge/*"]
read = block group GroupWithLimitedAccess
A few non-ACL options I've looked into:
Git's native
uploadpack.hideRefs functionality (doesn't appear to be applicable on subsets of clients).
The
git-refs-filter plugin (doesn't seem to have per-project configuration, and does extra filtering on closed changes I don't need).
Any help -- including confirmation that what I'm trying to do isn't currently supported -- would be appreciated.
Thanks in advance!