BE: Allow for some modifications to protected branches
Why are we doing this work
When there is a policy with block_unprotecting_branches: true
in it, for any affected protected branches:
- users are prevented from unprotecting a protected branch
- users are NOT prevented from changing any other settings on the affected protected branch (e.g. Allowed to push, Allowed to merge, Code owner approval, Allowed to force push). Those should all still be editable
These expectations changed from when BE: Prevent changes in project-level protected ... (#418745 - closed) was completed and now they need to be updated.
More information at !133268 (comment 1629267359)
Relevant links
Non-functional requirements
-
Documentation: -
Feature flag: -
Performance: -
Testing:
Implementation plan
Verification steps
- Upload a GitLab Ultimate license
- Enable the feature flags
echo "Feature.enable(:scan_result_policies_block_unprotecting_branches)" | rails c
- Go to Project/Settings/Repository/Protected Branches
/settings/repository#js-protected-branches-settings
- Protect couple of branches, you should be able to unprotect it
- Go to Secure => Policies => New policy => Scan Result Policy
- Create the policy in rule mode to match the below yaml or go to
yaml
mode and use the below policy
type: scan_result_policy
name: Container Scanning
description: ''
enabled: true
actions:
- type: require_approval
approvals_required: 1
user_approvers_ids:
- 1
rules:
- type: scan_finding
scanners:
- container_scanning
vulnerabilities_allowed: 0
severity_levels: []
vulnerability_states: []
branch_type: protected
branch_exceptions:
- foobar (actual protected branches name you want to exclude)
approval_settings:
block_unprotecting_branches: true
- Go back to settings, click the
unprotect
button - Change other settings for the branch
- Expect that they should be changeable
Edited by Alexander Turinske