Prevent creation of audit events for invalid approval rules
What does this MR do and why?
This MR addresses issue described in #409469 (closed), where audit events would be created even if the corresponding approval rule failed the validation and wasn't persisted.
The problem is mitigated by Add schema validation for approvals_required (!124766 - merged), where we prevent a policy with invalid required approvals from being created in the first place, but could in fact happen if any existing validation fails. We don't have such invalid policies on GitLab.com, but we can't know for self-managed instances.
If such invalid policy exists, it would result in audit events being added stating "Added User X to approval group on Y rule", even though no approval rules would be created.
How to set up and validate locally
Example below:
- Create a project, invite another user to it
- Create a scan result policy under Secure -> Policies, requiring approval from the invited user
- Configure with merge request and merge
- Go to the created repo for the security project and overwrite
approvals_required
to a value greater than 100.
actions:
- type: require_approval
approvals_required: 101
- Go back to the original project and create a merge request that would require approvals from the policy
- There should be no approval rules in the MR and
Approval is optional
should be visible - There should be no audit events created under
-/audit_events
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #409469 (closed)