gerrit: Don't let anyone force-push to 'master'

Previously, Mirroring Tools (Lorry) could force-push anywhere. This is
so that personal branches are kept in sync between git.baserock.org and
gerrit.baserock.org. Since users may force-push to their personal
branches, it's necessary to allow force-pushes. But nobody should force
'master', and I have a feeling that this is causing an issue we are
seeing where Gerrit says that it has merged something, but there is no
sign of the merge in 'master'.

Change-Id: I80bc4eace46470ffa7f3da185fcc1c1f228cda71

1 files changed, 6 insertions, 0 deletions

diff --git a/baserock_gerrit/All-Projects/project.config b/baserock_gerrit/All-Projects/project.config
index d3e8b472..e1c44040 100644
--- a/baserock_gerrit/All-Projects/project.config
+++ b/baserock_gerrit/All-Projects/project.config
@@ -66,6 +66,12 @@
 	create            = group Mirroring Tools
 	forgeAuthor       = group Mirroring Tools
 	forgeCommitter    = group Mirroring Tools
+	push              = group Mirroring Tools
+
+# Allow Lorry to force-push to personal branches, but don't ever let
+# it force-push to master as this may undo merges that Gerrit just did
+# and really confuse things.
+[access "^refs/heads/(?!master$)"]
 	push              = +force group Mirroring Tools
 
 [access "refs/tags/*"]