From docs/branch_override.md in the AWX project
The Ansible git module always fetches
refs/heads/*. It will do this
whether or not a custom refspec is provided.
I would really like to restrict our production AWX to only override commits within a branch (so we can deploy with configuration that has been tested in lower environments)
On that basis I’d like it if we could set refspec to refs/heads/main so that if a commit isn’t on main, it can’t be used.
We could probably do that override in a number of ways, but I’d like it if that was available in AWX somehow
On awx Settings i don’t find any option to “Force” of usage of specific branch for all git projects (and is not much sense block it)
To avoid that someone change scm branch or ref, simply adopt a RBAC on project section and allow the creation of project only via “special” jobtemplate that use an awx user with project admin/creation role.
For all othr user you can leave permisison like project read/update.
Well, you can set branch_override to false easily enough. But that doesn’t solve my problem which is that I do want to allow people to override commit hash, but not use a different branch (so RBAC doesn’t help with that either). Forcing a refspec should suffice, as the commit would need to be an ancestor of the allowed branch (otherwise it wouldn’t be reachable)