Can CODEOWNERS be used to relax branch protection for specific files?

I’m trying to protect main in general, but allow direct pushes (i.e. without MR) that change For various reasons this would help with deployment. That’s the ideal (which I’ve pretty much given up on), but even an MR that didn’t require approval would be good.

I’m having trouble understanding how to set this up (or even if it is possible - mostly people seem to use CODEOWNERS to add restrictions rather than remove them…).

My protected branch settings are as follows:

(Incidentally, the two statements on this screen seem contradictory… Reject code pushes that change files listed in the CODEOWNERS file vs the tooltip for Code Owner Approval: Does not apply to users allowed to push.).

And merge approvals settings are:

* @stuartmcgill

^[CHANGELOG] @stuartmcgill

I think these settings should require approval for everything except the changelog. However in reality everything appears optional when I create an MR targeting main. I am a direct member of the project (by virtue of being an Owner).

I’ve tried all combinations of these settings I can think of and played around with the CODEOWNERS syntax but to no avail. The only thing that did work was specifying a single file instead of the wildcard, which doesn’t really help.

If anyone has tried something like this (or if it just can’t be done) I’d love to know…thanks

Extra info from Code Owners | GitLab

Optional sections in the CODEOWNERS file are treated as optional only when changes are submitted by using merge requests. If a change is submitted directly to the protected branch, approval from Code Owners is still required, even if the section is marked as optional.

The Code Owner approval and protected branch features do not apply to users who are Allowed to push.

So from the first paragraph I think the idea of allowing a push direct to main is out. But I don’t have a clue what the second paragraph means, and why it doesn’t conflict with the first.