Synchronize scan result policy approval rules on default branch change
What does this MR do and why?
We are adding branch_type
support to security policies (&9468 (closed)).
We need to synchronize approval rules on default branch changes to honor the default
value.
How to set up and validate locally
-
Create a new project
-
Enable the feature flag for the project:
Feature.enable(:security_policies_branch_type, Project.last)
-
Navigate to
Repository > Branches
and create thedevelop
branch -
Navigate to
Secure > Policies
and create the following scan result policy:type: scan_result_policy name: Container Scanning enabled: true rules: - type: scan_finding branch_type: default scanners: - container_scanning vulnerabilities_allowed: 0 severity_levels: [] vulnerability_states: [] actions: - type: require_approval approvals_required: 1 user_approvers_ids: - 1
-
Open a new MR targeting the
main
branch -
Verify that the MR requires
Container Scanning
approval -
Open a new MR targeting the
develop
branch -
Verify that the MR does not require approval
-
Navigate to
Settings > Repository
and in theProtected branches
section, protect thedevelop
branch -
Navigate to
Settings > Repository
and in theBranch defaults
section, change the default branch todevelop
-
Verify that MR to
develop
requires approval and MR tomain
does not any more
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #406587 (closed)