- Source: GL_ProjectRole
- Destination: GL_Branch
The traversable GL_CanMerge edge indicates that a project role can merge merge requests into this branch. Like GL_CanPush, this edge is conditioned on branch protection rules:
- Unprotected branches — Developer role and above can merge.
- Protected branches — Only roles explicitly listed in the branch's merge allowance can merge. This is often Maintainer or above, but depends on the specific protection configuration.
This edge is traversable with the same attack path significance as GL_CanPush: merging code into a branch triggers pipelines on that branch, enabling arbitrary code execution in the pipeline context. This path is particularly relevant for protected branches where direct push is blocked but merge from a feature branch is allowed.
graph LR
user("fa:fa-user GL_User alice")
maintRole("fa:fa-user-tie GL_ProjectRole myproject/Maintainer")
branch("fa:fa-code-branch GL_Branch main")
runner("fa:fa-gears GL_Runner prod-runner")
user -->|GL_HasRole| maintRole
maintRole -->|GL_CanMerge| branch
branch -.->|GL_BuildsOn| runner