Thanks. How could I miss that one? :-)

One more question though. Suppose I would also want to prevent developers from merging and pushing using GIT Bash (or any other tool), would that require me to set the developers' permissions to read-only and allow them to fork the project and create pull requests instead?

If you'd set the developers permission on the 'central' repository to read-only, they wouldn't be able to merge the pull requests from a fork to the central repository. You need write access on the target repository (and branch) to be able to merge; allowing users with 'read' permission to merge pull requests makes it very hard to control what comes into a repository/branch.

In the fork-based workflow that you suggested, you'd need to appoint a select group of developers and give them write permission on the repository so they can merge the pull requests. It's inconvenient, but it's the only way to strictly control what changes are allowed. If you're happy to do that, I'd set up branch permissions on the branches you want to protect instead of forcing the developers to use forks. It allows you more fine-grained control and is more convenient for the developers as well.

In our own workflow, we trust our developers to follow the workflow and create pull requests for all changes. If you really need to enforce the workflow, you could write a small repository hook that blocks all pushes to selected branches. That way, pull request merges would still be allowed, but manual pushes to the branch would be rejected.

We have documentation and examples on how to write custom repository hooks here:https://developer.atlassian.com/stash/docs/latest/how-tos/repository-hooks.html

Thanks for the detailed answer. Your point about 'trusting the developers' makes great sense. There's no need to strictly enforce this workflow. I trust other developers to follow the workflow, or workaround it if really really needed.