Settings for merge request approval policy with multiple rules not being properly enforced
Summary
A policy created with multiple rules to override project settings for branch modification and push/force push is not working consistently. Default branches are properly enforced, but other rules based on the wildcard pattern are not.
Steps to reproduce
-
Create a new group and a contained project
-
On the project level:
-
Navigate to
Code > Branches
and create therc
branch. -
Navigate to
Settings > Repository
and create two branch protections forrc
anddevelop
.
-
-
On the group level:
- Navigate to
Security > Policies
and create the following MR approval policy:
type: approval_policy name: Block protected branches enabled: true rules: - type: any_merge_request branches: [rc] commits: any - type: any_merge_request branches: [develop] commits: any actions: - type: require_approval approvals_required: 1 role_approvers: [owner] approval_settings: block_branch_modification: true
- Navigate to
-
On the project level, navigate to
Settings > Repository
and verify that branch protection fordevelop
can be removed, while protection forrc
cannot
- Use a yaml config as below:
- Create branches matching these patterns. For example:
- Observe the behavior for overriding branch settings and how some branches are properly enforced whereas others are not.
Example Project
What is the current bug behavior?
What is the expected correct behavior?
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: \`sudo gitlab-rake gitlab:env:info\`) (For installations from source run and paste the output of: \`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production\`)
Self-managed GitLab, 16.8
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:check SANITIZE=true`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true`) (we will only investigate if the tests are passing)
Possible fixes
Edited by Dominic Bauer