Projects that release on their own want the ability to lock or unlock their branches. There are potentially a few ways we can achieve this:

1) Allow committers permissions to modify their refs/meta/config

This will give committers full reign over the permissions configuration for their project. If they do not know the correct Gerrit configuration to manage their repo this could be difficult for a non-Gerrit admin to get the right settings. I think the worst they can do is cause permissions issues in their own project repo though. One thing we need to do if we go this route is to ensure that All-Projects has a BLOCK permission for the "Push" permission to refs/heads/* to prevent them from adding an overriding permission to push directly to the repo.

2) Create a Jenkins job which can be triggered to lock / unlock branches

I discussed this briefly with Andy. We could allow the jobs to be triggered via keywords such as "lock branch", "unlock branch" in Gerrit. The job will open a patch in Gerrit and leave a comment to where the patch was submitted. A committer of the project must still vote +2 CR and +1 Verified and click Submit for the changes to take affect. This allows us to make a more precise configuration change and the committers do not need to know about Gerrit permissions system.

In this method we need to provide 3 permissions:

• -2, +2 Code-Review
• -1, +1 Verified (Would be good if we can disable this vote for only meta/config but I'm not sure how)
• Submit

As a reference the onap project allows the following permissions:

Read
Allow Administrators
Allow Project-Owners

Push
Allow Administrators
Block Project-Owners

Label Code-Review
-2, +2 Administrators
-1, +1 Project-Owners

Label Verified
-1, +1 Administrators

Submit
Allow Administrators