From 564ed574394e62a9d11a9c2179c10f2c1c78edc8 Mon Sep 17 00:00:00 2001
From: Keegan Carruthers-Smith <keegan.csmith@gmail.com>
Date: Tue, 3 Feb 2026 13:34:40 +0200
Subject: [PATCH 1/2] docs/batches: Document batchChanges.restrictMergeToAdmins
 setting

Adds documentation for the new batchChanges.restrictMergeToAdmins site config
option which restricts merge and auto-merge actions to site admins only. This is
useful when using the Batch Changes GitHub App with elevated access, where the
App may have write permissions to repositories that individual users do not.

See sourcegraph/sourcegraph#9559

Note: This PR should only be merged once Sourcegraph 6.13 is released.
Amp-Thread-ID: https://ampcode.com/threads/T-019c2344-7386-702e-8b12-7ec2de618f53
Co-authored-by: Amp <amp@ampcode.com>
---
 docs/admin/config/batch-changes.mdx                 | 12 ++++++++++++
 docs/admin/config/site-config.mdx                   |  3 +--
 docs/batch-changes/permissions-in-batch-changes.mdx |  6 ++++++
 3 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/docs/admin/config/batch-changes.mdx b/docs/admin/config/batch-changes.mdx
index 3d783ccae..0cebebb7d 100644
--- a/docs/admin/config/batch-changes.mdx
+++ b/docs/admin/config/batch-changes.mdx
@@ -10,6 +10,18 @@ Batch Changes is [RBAC-enabled](/admin/access-control/) <span class="badge badge
 
 By default, only a batch change's author or a site admin can administer (apply, close, rename, etc.) a batch change. However, admins can use [organizations](/admin/organizations) to facilitate closer collaboration and shared administrative control over batch changes by enabling the `orgs.allMembersBatchChangesAdmin` setting for an organization. When enabled, members of the organization will be able to administer all batch changes created in that organization's namespace. Batch changes created in other namespaces (user or organization) will still be restricted to the author and site admins.
 
+### Restrict merge actions to site admins
+
+When using the [Batch Changes GitHub App](#commit-signing-with-github-apps) with elevated access, the App may have write access to repositories that individual users do not. To restrict who can merge changesets via the Batch Changes UI, set the `batchChanges.restrictMergeToAdmins` site configuration option to `true`:
+
+```json
+{
+	"batchChanges.restrictMergeToAdmins": true
+}
+```
+
+When enabled, only site admins can use the "Merge changesets" and "Enable auto-merge" actions. Non-admin users will receive an error message directing them to contact a site admin.
+
 ## Rollout windows
 
 By default, Sourcegraph attempts to reconcile (create, update, or close) changesets as quickly as the rate limits on the code host allow. This can result in CI systems being overwhelmed if hundreds or thousands of changesets are being handled as part of a single batch change.
diff --git a/docs/admin/config/site-config.mdx b/docs/admin/config/site-config.mdx
index 20ce60a37..ca324588f 100644
--- a/docs/admin/config/site-config.mdx
+++ b/docs/admin/config/site-config.mdx
@@ -79,9 +79,8 @@ All site configuration options and their default values are shown below.
 	// Reject unverified commits when creating a Batch Change
 	"batchChanges.rejectUnverifiedCommit": false,
 
-	// When enabled, only site admins can merge changesets using the Batch Changes UI. This is useful when the Batch Changes GitHub App has elevated access and you want to restrict who can merge changes.
+	// When enabled, only site admins can merge changesets or enable auto-merge via the Batch Changes UI. This is useful when the Batch Changes GitHub App has elevated access and you want to restrict who can merge changes.
 	"batchChanges.restrictMergeToAdmins": false,
-
 	// When enabled, only site admins can create and apply batch changes.
 	"batchChanges.restrictToAdmins": false,
 
diff --git a/docs/batch-changes/permissions-in-batch-changes.mdx b/docs/batch-changes/permissions-in-batch-changes.mdx
index a12cd6fdd..11dffce98 100644
--- a/docs/batch-changes/permissions-in-batch-changes.mdx
+++ b/docs/batch-changes/permissions-in-batch-changes.mdx
@@ -90,3 +90,9 @@ A site admin can disable Batch Changes for a Sourcegraph instance by setting the
 ## Disabling Batch Changes for non-site-admin users
 
 A site admin can disable batch changes for regular users by setting the [site configuration](/admin/config/site-config) property `"batch-changes.restrictToAdmins"` to `true`.
+
+## Restricting merge actions to site admins
+
+When using the [Batch Changes GitHub App](/admin/config/batch-changes#commit-signing-with-github-apps) with elevated access, the App may have write access to repositories that individual users do not. To prevent non-admin users from merging changesets through the Batch Changes UI in repositories they wouldn't normally have merge permissions for, a site admin can set the [site configuration](/admin/config/site-config) property `"batchChanges.restrictMergeToAdmins"` to `true`.
+
+When enabled, only site admins can use the "Merge changesets" and "Enable auto-merge" actions. Non-admin users will see an error directing them to contact a site admin to perform these actions.

From dfbe21acbacb548e62074e9c957afaadaefdeded Mon Sep 17 00:00:00 2001
From: Keegan Carruthers-Smith <keegan.csmith@gmail.com>
Date: Thu, 26 Feb 2026 09:10:40 +0200
Subject: [PATCH 2/2] fix/docs: link GitHub App references to credentials page
 instead of commit signing

The reviewer correctly pointed out that the GitHub App links should direct
users to the credentials setup page rather than the commit signing section,
since the context is about configuring GitHub App credentials with elevated
access, not commit signing.

Test Plan: Verified links point to /batch-changes/configuring-credentials#github-apps

Amp-Thread-ID: https://ampcode.com/threads/T-019c98c8-5f5c-73b9-bea8-e7d43529910c
Co-authored-by: Amp <amp@ampcode.com>
---
 docs/admin/config/batch-changes.mdx                 | 2 +-
 docs/batch-changes/permissions-in-batch-changes.mdx | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/admin/config/batch-changes.mdx b/docs/admin/config/batch-changes.mdx
index 0cebebb7d..ebfbb2121 100644
--- a/docs/admin/config/batch-changes.mdx
+++ b/docs/admin/config/batch-changes.mdx
@@ -12,7 +12,7 @@ By default, only a batch change's author or a site admin can administer (apply,
 
 ### Restrict merge actions to site admins
 
-When using the [Batch Changes GitHub App](#commit-signing-with-github-apps) with elevated access, the App may have write access to repositories that individual users do not. To restrict who can merge changesets via the Batch Changes UI, set the `batchChanges.restrictMergeToAdmins` site configuration option to `true`:
+When using the [Batch Changes GitHub App](/batch-changes/configuring-credentials#github-apps) with elevated access, the App may have write access to repositories that individual users do not. To restrict who can merge changesets via the Batch Changes UI, set the `batchChanges.restrictMergeToAdmins` site configuration option to `true`:
 
 ```json
 {
diff --git a/docs/batch-changes/permissions-in-batch-changes.mdx b/docs/batch-changes/permissions-in-batch-changes.mdx
index 11dffce98..f695a424f 100644
--- a/docs/batch-changes/permissions-in-batch-changes.mdx
+++ b/docs/batch-changes/permissions-in-batch-changes.mdx
@@ -93,6 +93,6 @@ A site admin can disable batch changes for regular users by setting the [site co
 
 ## Restricting merge actions to site admins
 
-When using the [Batch Changes GitHub App](/admin/config/batch-changes#commit-signing-with-github-apps) with elevated access, the App may have write access to repositories that individual users do not. To prevent non-admin users from merging changesets through the Batch Changes UI in repositories they wouldn't normally have merge permissions for, a site admin can set the [site configuration](/admin/config/site-config) property `"batchChanges.restrictMergeToAdmins"` to `true`.
+When using the [Batch Changes GitHub App](/batch-changes/configuring-credentials#github-apps) with elevated access, the App may have write access to repositories that individual users do not. To prevent non-admin users from merging changesets through the Batch Changes UI in repositories they wouldn't normally have merge permissions for, a site admin can set the [site configuration](/admin/config/site-config) property `"batchChanges.restrictMergeToAdmins"` to `true`.
 
 When enabled, only site admins can use the "Merge changesets" and "Enable auto-merge" actions. Non-admin users will see an error directing them to contact a site admin to perform these actions.