Enable rules
In Harness Code, you can use branch rules, tag rules, and CODEOWNERS to manage individual repositories.
For broader permissions, such as the ability to view repos within a specific Harness project, go to Access control.
Add branch rules
In Harness Code, you can create branch rules for a single branch or multiple branches in a repository, project, org, or account. Branch rules establish criteria for approving and merging PRs, define who can create and delete branches, and more.
Branch rules set on a repository only apply to that specific repository but you can also set branch rules at the project, organization or account level to enforce consistent policies across multiple repositories. E.g. A branch rule set on a project will apply to every repository in that project - even newly created repositories.
If you configure branch rules at multiple levels they are combined with an AND clause. This generally means the more restrictive rule applies. E.g If you configure a repository branch rule that requires 1 approval before merging but the org branch rule requires 2 approvals, then 2 approvals are needed. Before the branch can be merged the repository requires 1 approval AND the org requires 2 approvals so 2 approvals are needed.
- Navigate to the level where you want to enable branch rules. For projects, orgs, or accounts, select Manage Repositories. For a repository, click Settings.
- Select the Rules tab.
- Click + Create Branch Rule.
- Enter the rule Name and optional Description.
Name must start with a letter or _ and only contain [a-zA-Z0-9-_.]
- In Target Patterns, specify branches covered by this rule according to branch name globstar patterns, such as string,feature-*, orreleases/**. You can also select whether the rule should apply to the default branch (such asmain).
You have the option to include or exclude repositories when setting rules at the account, org, or project level. This allows you to fine-tune which repositories the rule applies to without forcing the rule across every repo. You can do this in two ways:
- By selecting specific repositories (for example, billing-api,web-frontend).
- By using name patterns (for example, service-*,exp-*).
Includes and excludes can be mixed, and excludes take precedence when there’s overlap.
Examples:
- Include by pattern: service-*
- Include specific repos: billing-api,web-frontend
- Exclude by pattern: exp-*
- Exclude a specific repo: playground
- In Bypass List, you can specify users, user groups, or service accounts who can bypass this rule.
- For each of the Rules, select the rule you want to enable and provide additional specifications, if necessary. For example, if you select Require a minimum number of reviewers, you must specify the minimum number of reviewers.
- Select Create Rule.
Available rules
The following rules are available when adding branch rules. Some rules require additional configuration.
| Rule | Additional configuration | 
|---|---|
| Block branch creation | This rule doesn't block users, groups, or service accounts in the Bypass List. | 
| Block branch update | This rule doesn't block users, groups, or service accounts in the Bypass List. | 
| Block branch deletion | This rule doesn't block users, groups, or service accounts in the Bypass List. | 
| Block force push | This rule doesn't block users, groups, or service accounts in the Bypass List. | 
| Require pull request | This rule doesn't block users, groups, or service accounts in the Bypass List. | 
| Enable default reviewers | Automatically assigns default reviewers to new pull requests. Optionally, enforce a minimum number of approvals from default reviewers before merging. Details. | 
| Require a minimum number of reviewers | You must specify the minimum number of reviewers. | 
| Add Code Owners as reviewers | This rule automatically adds relevant Code Owners as reviewers. | 
| Require review from code owners | This rule requires a CODEOWNERS file in your branches. If there is no CODEOWNERS file, Harness can't enforce the rule. | 
| Require approval of new changes | This rule requires that you also enable Require a minimum number of reviewers or Require review from code owners (or both). Without at least one of those additional rules, this rule has no effect. | 
| Require resolution of change requests | None. | 
| Require comment resolution | None. | 
| Require status checks to pass | You must specify the checks that must pass. | 
| Limit merge strategies | You must select the allowed merge strategies. | 
| Auto delete branch on merge | None. | 
Default Reviewer
Default reviewers can be configured as part of branch protection rules. When enabled, specified default reviewers are automatically assigned to new pull requests.
 
If a minimum number of approvals from default reviewers is required, the PR cannot be merged until at least that many approvals are received. This requirement is displayed in the Approvals section of the PR summary.
 
Pull requests authored by a default reviewer will skip the required approval check if there aren’t enough remaining default reviewers to meet the condition. To enforce the approval requirement in such cases, consider adding more default reviewers.
Updating the rule does not retroactively assign reviewers to existing PRs—it only applies at the time of PR creation.
Add Tag Rules
Harness Code Repository supports Tag Rules, allowing you to enforce fine-grained control over Git tag operations — similar to branch protection rules, but specific to tags.
You can restrict who can create, delete, or update tags, and apply rules to specific tag patterns.
To create a tag rule:
- Navigate to Code Repository → your repo.
- In the left sidebar, select Manage Repository.
- Go to the Rules tab.
- Click the + Create Branch Rule dropdown and select + Create Tag Rule.
Create a Tag Rule
After selecting + Create Tag Rule, the rule editor appears:
Enable
Check this box to activate the rule.
Name and Description
- Name: A human-readable name for the rule.
- Description (optional): Add context for this rule’s purpose.
Target Patterns
- 
Define which tag patterns this rule applies to. 
- 
Use globstar-style matching (e.g.: - v*for all version tags,
- release/**for nested release tags).
 
- 
You can include or exclude repositories when creating tag rules at the account, org, or project level. This makes it possible to scope rules precisely without forcing the rule across every repo. You can do this in two ways: - By selecting specific repositories (for example, billing-api,ui).
- By using name patterns (for example, prod-*,exp-*).
 
- By selecting specific repositories (for example, 
- 
Includes and excludes can be mixed, and excludes take precedence when they overlap. 
 Examples:- Include by pattern: prod-*
- Include specific repos: billing-api,ui
- Exclude by pattern: exp-*
- Exclude a specific repo: playground
 
- Include by pattern: 
Rules: Select all that apply
Choose which operations to restrict for tags matching the pattern:
- Block tag creation – Restrict who can create matching tags.
- Block tag deletion – Restrict who can delete matching tags.
- Block tag update – Restrict who can update matching tags.
Bypass List
Allow specific users, user groups, or service accounts to bypass the rule. Only those listed will be able to perform restricted operations.
Example: Prevent Accidental Release Tagging
If you want to prevent unapproved users from creating or deleting tags like v1.0.0, you could:
- Target pattern: v*
- Enable:
- Block tag creation
- Block tag deletion
- Block tag update
 
- Add your CI service account to the bypass list
Tips
- Use tag rules in combination with branch rules for comprehensive Git policy enforcement.
- You can view all active tag rules in the Rules tab of the repository, under the Tag filter.
- Rules are enforced at the Git operation level — users pushing from Git CLI or through CI tools will see a rejection message if blocked.
Toggle rules
You can toggle rules on and off.
- Go to your repository and select Settings.
- Select the Rules tab.
- Select your rule.
- Click the Enable the rule toggle at the top of the page to turn the rule on and off.
Edit or delete rules
- Go to your repository and select Settings.
- Select the Rules tab.
- Locate the rule you want to edit or delete, select More options, and then select Edit Rule or Delete Rule.
CODEOWNERS
A CODEOWNERS file declares the users responsible for a repository or part of a repository. To use a CODEOWNERS file, create a new file named CODEOWNERS in one of the following locations in your repository:
- CODEOWNERS(at the root level)
- .harness/CODEOWNERS
Harness Code recognizes CODEOWNERS in a repository if a CODEOWNERS file is present but does not automatically add them as reviewers. This prevents unnecessary notifications when changes affect files that don’t require review from all CODEOWNERS. To auto-add CODEOWNERS as reviewers, enable the Add Code Owners as reviewers rule.
You can still manually request reviews from specific CODEOWNERS. If a CODEOWNER voluntarily reviews a PR, Harness adds them as a reviewer for record-keeping, just like any other independent review. If the Require review from code owners branch rule is enabled, CODEOWNERS function as an approval policy—meaning a PR cannot be merged unless the changes have been approved by the required CODEOWNERS. This requirement is displayed in the Approvals section of the PR summary.
CODEOWNERS syntax
In your Harness Code CODEOWNERS file, you can assign code ownership to users and user groups within your Harness account, organizations, or projects.
You can declare CODEOWNERS using:
- The email address associated with a Harness user profile.
- User groups at the project, organization, or account level.
For user groups, use the following formats:
- Project-level user group: @my_project_group
- Org-level user group:
- If the repo is at org level: @org.my_org_groupor simply@my_org_group
- If the repo is at project level: you must use @org.my_org_group
 
- If the repo is at org level: 
- Account-level user group: @account.my_account_group
Both the long (@org.my_org_group) and short (@my_org_group) forms are supported, but the short form only works if the repo itself is at org level.
When a CODEOWNERS rule includes a user group, any member of that group can provide the required approval.
If there are multiple rules with the same pattern, the last matching rule takes precedence — only the final one is applied.
You can assign ownership to specific files, directories, or otherwise. Wildcards are allowed. For example, this CODEOWNERS file demonstrates different ways you can declare ownership.
Harness ---
# Global owner
* email
# User groups at different scopes
** @dev-team @org.security-group @account.admins
# Specific file with multiple owners
Gemfile.lock email1 email2
# Subdirectory owners
/some_directory/ email
/some_directory_2/ email1 email2
# Workspace owner
WORKSPACE email
# Wildcards
**/src/** email
*.lock email