Skip change access check for deploy keys

2 files changed, 4 insertions, 5 deletions

diff --git a/lib/gitlab/checks/change_access.rb b/lib/gitlab/checks/change_access.rb
index 7778d3068cc..8a57a3a6d9a 100644
--- a/lib/gitlab/checks/change_access.rb
+++ b/lib/gitlab/checks/change_access.rb
@@ -10,7 +10,7 @@ module Gitlab
       attr_reader(*ATTRIBUTES)
 
       def initialize(
-        change, user_access:, project:, skip_authorization: false,
+        change, user_access:, project:,
         skip_lfs_integrity_check: false, protocol:, logger:
       )
         @oldrev, @newrev, @ref = change.values_at(:oldrev, :newrev, :ref)
@@ -18,7 +18,6 @@ module Gitlab
         @tag_name = Gitlab::Git.tag_name(@ref)
         @user_access = user_access
         @project = project
-        @skip_authorization = skip_authorization
         @skip_lfs_integrity_check = skip_lfs_integrity_check
         @protocol = protocol
 
@@ -27,8 +26,6 @@ module Gitlab
       end
 
       def exec
-        return true if skip_authorization
-
         ref_level_checks
         # Check of commits should happen as the last step
         # given they're expensive in terms of performance
diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb
index 0558bced2c3..04a9a2ff7dc 100644
--- a/lib/gitlab/git_access.rb
+++ b/lib/gitlab/git_access.rb
@@ -266,6 +266,9 @@ module Gitlab
     end
 
     def check_change_access!
+      # Deploy keys with write access can push anything
+      return if deploy_key?
+
       # If there are worktrees with a HEAD pointing to a non-existent object,
       # calls to `git rev-list --all` will fail in git 2.15+. This should also
       # clear stale lock files.
@@ -286,7 +289,6 @@ module Gitlab
         change,
         user_access: user_access,
         project: project,
-        skip_authorization: deploy_key?,
         skip_lfs_integrity_check: skip_lfs_integrity_check,
         protocol: protocol,
         logger: logger