Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Bitbucket - only members of a group can approve (including their own PR)

Piotr Milczarek
Piotr Milczarek September 22, 2023

Hi,

We would like to setup a mandatory review process on repo-level based on lists. The idea is that anyone could open a PR, but it can be approved by people belonging to certain role/list. We are currently setting it up via API, creating a default reviewer list with at least one mandatory approval. This is not exactly what we want though, as if the originator of PR is a member of the list of default reviewers, than they still need to get another from default reviewers to approve, and we would like to drop that requirement.

Do you have any suggestion on how to add it? We have access to Workzone and Scriptrunner. I briefly explored the Merge Checks from the Scriptrunner, but we would like to set it up for each repo in the project, ideally through the API, as automated as possible. Also, allowing only members of the list to merge does not solve the problem, as we would like to detach the approval from the actual merge, so the change could be merged by whoever initiated the PR.

Currently we are sourcing members for the default reviewers based on the Active Directory groups, as this is the only way of easily distinguishing roles in our setup.

Answer
Watch
Like # people like this
1160 views

1 answer

2 votes
Ulrich Kuhnhardt _IzymesCo_
Ulrich Kuhnhardt _IzymesCo_
Atlassian Partner
September 25, 2023

Hi Piotr,

glad you're using Workzone (we maintain it :) - you're half-way there with your requirement. If I understand correctly you would like some mandatory reviewers (currently configured as repo default reviewers) to approve a PR before it can be merged, EXCEPT if any of the mandatory reviewers is the author of the PR, then it should be merged directly without an additional approval, correct?

So Workzone can do that for you - in combination with repo merge permissions that you mentioned above. Here is how to set it up:

  1. Add PR merge permissions for each of the mandatory reviewers PLUS a system account user (Workzone "auto-merge" user) for the desired target branch 
  2. In Workzone "Reviewers", configure the AD group as a mandatory reviewers group (**) (Workzone handles AD groups) for the desired target branch or pattern
  3. In Workzone "Merge", configure the Workzone "auto-merge" system user as the merge user, set mandatory approval count to "1" for the desired target branch or pattern

With this config each mandatory reviewer as PR author can merge directly via the merge button. Other author's PRs will need at least one approval from a mandatory reviewer group member before the PR is auto-merged by Workzone.

(**) Workzone takes "mandatory" reviewers literally - even if the PR author edits the PR and removes a mandatory reviewer, Workzone will add them back :D

Workzone exports a REST API for automation as well.

Let me know if this helps,

Cheers Ulrich

// Izymes - Tools for efficient teams

View More Comments
Piotr Milczarek
Piotr Milczarek September 26, 2023

Hi Ulrich, thank you for your response - this is almost what we want :)

The only difference is that we don't want automatic merge - it should still be up to the author of PR to decide when to merge it. So we don't want automatic merge based on approvals but rather mandatory review/signoff of the PR before merge, still controlled by the PR author.

Is it possible?

Also, do I understand correctly, that this part:

  1. Add PR merge permissions for each of the mandatory reviewers PLUS a system account user (Workzone "auto-merge" user) for the desired target branch

would be configured in global "Repository settings"->"Security"->"Branch permissions" , not in Workzone? Or where exactly?

Like Sabine Mayer likes this
Ulrich Kuhnhardt _IzymesCo_
Ulrich Kuhnhardt _IzymesCo_
Atlassian Partner
September 28, 2023

Hi Piotr,

I understand that Workzone auto-merge is not an option and the author of the PR needs to merge it manually.

If _anyone_ must be able to merge manually, Workzone must then enforce merge conditions for everyone, including the mandatory special reviewers. So you're back to square one where even mandatory users require an additional approval.

As a work-around you can use Workzone's 'trigger auto-merge on task completion' feature and require all tasks to be resolved ('no open tasks')  as a general merge condition in repository merge check settings.

PRs can still get merged manually by mandatory reviewers (without additional approval). Other authors need to create a task like 'merge me' and wait for the approval. Once that is given, the PR is not yet auto-merged because there is an open task. The author can then tick off the task and the PR will be merged by the system account user.

 

And yes - the system account user needs to be added to repository settings > security > branch permissions > allow via pr merge

Hope that helps.

Like # people like this
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.