This documentation contradicts itself. On the one hard, it says this:

They do not prevent branch creation. Branch permissions will only be enforced on updates to existing branches and tags.

On the other hand, it says this:

Prevent all changes
Prevents pushes to the specified branch(es) and restricts creating new branches that match the branch(es) or pattern.

These statements cannot both be true. Furthermore, the second statement appears to be correct, and unfortunately, it sure seams like this means it is impossible to make branches read-only while also allowing the creation of new read-only branches. But I could be missing something, so maybe somebody can help.

We have a branch permission configured with a pattern so that those branches we considered "released" (match the pattern) are read-only (all changes and deletions are prevented). Normally, we would release a branch by "renaming" it from e.g. main-2.0.1 (a development branch name) to 2.0.1 (a release branch name). But Bitbucket does not have a mechanism for renaming branches, so we release by creating a new branch 2.0.1 from main-2.0.1 and then deleting main-2.0.1. However, we can't do that anymore, because our new branch permissions that makes release branches read-only also prevents us from creating release branches. (And, more accurately, we've had to disable our release branch permission so that we can create release branches again.)

So ... how can we make release branches read-only while also allowing the creation of new release branches?