Skip to content

docs/batches: Document batchChanges.restrictMergeToAdmins setting #1581

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
keegancsmith wants to merge 1 commit into
base: main
Choose a base branch
from
Open

docs/batches: Document batchChanges.restrictMergeToAdmins setting #1581

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions docs/admin/config/batch-changes.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,18 @@ Batch Changes is [RBAC-enabled](/admin/access-control/) <span class="badge badge

By default, only a batch change's author or a site admin can administer (apply, close, rename, etc.) a batch change. However, admins can use [organizations](/admin/organizations) to facilitate closer collaboration and shared administrative control over batch changes by enabling the `orgs.allMembersBatchChangesAdmin` setting for an organization. When enabled, members of the organization will be able to administer all batch changes created in that organization's namespace. Batch changes created in other namespaces (user or organization) will still be restricted to the author and site admins.

### Restrict merge actions to site admins

When using the [Batch Changes GitHub App](#commit-signing-with-github-apps) with elevated access, the App may have write access to repositories that individual users do not. To restrict who can merge changesets via the Batch Changes UI, set the `batchChanges.restrictMergeToAdmins` site configuration option to `true`:
Copy link
Contributor

@bahrmichael bahrmichael Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would recommend linking to https://sourcegraph.com/docs/batch-changes/configuring-credentials#github-apps for setting up github apps credentials, instead of linking to the chapter dedicated to commit signing.


```json
{
"batchChanges.restrictMergeToAdmins": true
}
```

When enabled, only site admins can use the "Merge changesets" and "Enable auto-merge" actions. Non-admin users will receive an error message directing them to contact a site admin.

## Rollout windows

By default, Sourcegraph attempts to reconcile (create, update, or close) changesets as quickly as the rate limits on the code host allow. This can result in CI systems being overwhelmed if hundreds or thousands of changesets are being handled as part of a single batch change.
Expand Down
3 changes: 3 additions & 0 deletions docs/admin/config/site-config.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,9 @@ All site configuration options and their default values are shown below.
// Reject unverified commits when creating a Batch Change
"batchChanges.rejectUnverifiedCommit": false,

// When enabled, only site admins can merge changesets or enable auto-merge via the Batch Changes UI.
"batchChanges.restrictMergeToAdmins": false,

// When enabled, only site admins can create and apply batch changes.
"batchChanges.restrictToAdmins": false,

Expand Down
6 changes: 6 additions & 0 deletions docs/batch-changes/permissions-in-batch-changes.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,3 +90,9 @@ A site admin can disable Batch Changes for a Sourcegraph instance by setting the
## Disabling Batch Changes for non-site-admin users

A site admin can disable batch changes for regular users by setting the [site configuration](/admin/config/site-config) property `"batch-changes.restrictToAdmins"` to `true`.

## Restricting merge actions to site admins

When using the [Batch Changes GitHub App](/admin/config/batch-changes#commit-signing-with-github-apps) with elevated access, the App may have write access to repositories that individual users do not. To prevent non-admin users from merging changesets through the Batch Changes UI in repositories they wouldn't normally have merge permissions for, a site admin can set the [site configuration](/admin/config/site-config) property `"batchChanges.restrictMergeToAdmins"` to `true`.
Copy link
Contributor

@bahrmichael bahrmichael Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://github.com/sourcegraph/docs/pull/1581/changes#r2758783667


When enabled, only site admins can use the "Merge changesets" and "Enable auto-merge" actions. Non-admin users will see an error directing them to contact a site admin to perform these actions.