All Collections
Using Salto
Deploying Changes
CI/CD
Branch and Merge Protection Rules for Salto Generated Pull Requests
Branch and Merge Protection Rules for Salto Generated Pull Requests

The article guides on integrating deployments with Salto, detailing merge rules and configurations for various Git providers.

Kirk DeBaets avatar
Written by Kirk DeBaets
Updated over a week ago

As you start integrating your deployments with pull requests, you should consider which merge protection rules should be applied to support your organizational use cases, e.g.

  • Ensuring that deployments have been approved by n number of reviewers

  • Revoke approvals upon deployments changes

  • Running automated tests, or other automations.

Once set up, Salto will respect the condition of the pull request and prevent a deployment by disabling the Deploy button.

Each of the supported Git providers handles branch and merge protection in a slightly different manner so follow the instructions for the Git solution connected to your system.

Which Branches Do You Need to Protect?

As part of the Salto PR process, two branches are created for each pull request in the format:

salto/before/env/<targetEnvId>/deployment/<deploymentId>
salto/after/env/<targetEnvId>/deployment/<deploymentId>

Branch and merge protection rules need to be applied only to the "before" branches.

The environment ID is located in the URL following the "envs/" anytime you are navigating within an environment. In the image below the targetEnvId is 8ee0ce0d-4df8-4263-a84c-679e6ca85243.

How do I find the targetEnvId?

The environment ID is located in the URL following the "envs/" anytime you are navigating within an environment. In the image below the targetEnvId is 8ee0ce0d-4df8-4263-a84c-679e6ca85243.

Git Providers

GitHub

GitHub combines Branch and Merge protection rules into a single function. Navigate to the repository used by Salto, go to the Settings tab, select Branches on the left, and click on Add branch protection rule.

For the Branch name pattern, add salto/before/env/<targetEnvId>/deployment/*.

(To apply the rules to all environments you can add salto/before/**/*).

For the remainder of the page, complete this according to your organization's policies.

If your policies require retricting who can push to matching branches, you must include the saltoio user for Salto to function correctly.

GitLab

GitLab treats Branch Protection and Merge Protection as two separate functions.

To protect the branch, navigate to the repository used by Salto, expand Settings on the left, select Repository, and click on the Expand button for "Protected branches."

For the Branch, type in salto/before/env/<targetEnvId>/deployment/* and click on Create wildcard salto/before/env/<targetEnvId>/deployment/*.

(To apply the rules to all environments you can add salto/before/*).

To ensure Salto can work properly on the protected branches, choose "Developers + Maintainers" for both the "Allowed to merge" and "Allowed to push and merge" dropdown selectors and click on the Protect button.

To configure Merge protection, navigate to the repository used by Salto, expand Settings on the left, select Merge requests, and configure the merge options that adhere to your organizations settings.

* Required approvals are part of GitLab's Premium tier or higher.

BitBucket

BitBucket combines Branch and Merge protection rules into a single function. Navigate to the repository used by Salto, click on Repository Settings on the left

Then click on Branch restrictions on the left and Add a branch restriction

For the branch name or pattern, type in salto/before/env/<targetEnvId>/deployment/*.

(To apply the rules to all environments you can add salto/before/*).

Under Branch permissions, allow everyone with access to the repository to perform both actions to ensure Salto can work properly on the protected branch.

For Merge settings, select the items that conform to your organization's policies.

* Required merge checks are part of BitBucket's Premium tier or higher.

Azure DevOps

Azure DevOps allows control of Branch and Merge protection at both the Project level and the Repository level.

Project Level Branch and Merge Protection

To ensure Salto can perform correctly on protected branches, navigate to Project Settings - Repositories and click on the Security tab. Choose the group that contains your Salto users and change Bypass policies when pushing to Allow.

To set policies for all repositories in the project, change to the Policies tab and click the plus sign in the Branch Policies section. Choose the Protect current and future branches matching a specified pattern radio button and type in the Branch name pattern salto/before/env/<targetEnvId>/deployment/* and the Create button.

(To apply the rules to all environments you can add salto/before/*).

Finally, select the items that conform to your organization's policies.

Repository Level Branch and Merge Protection

To ensure Salto can perform correctly on protected branches, navigate to Project Settings - Repositories, select the Salto repository and click on the Security tab. Choose the group that contains your Salto users and change Bypass policies when pushing to Allow.

To set branch policies for Salto deployments in this repository, you must enable integrating Pull Requests with Salto, and do at least one "Preview Deployment" activity. This will create the necessary branch hierarchy in your repository. Click on the salto/before/env/<targetEnvId>/deployment/ folder (you may need to search for salto):

This will allow you to select the items that conform to your organization's policies.

Did this answer your question?