Skip to content

Lower `approvals_required` for conforming `any_merge_request` rules

What does this MR do and why?

We are introducing the any_merge_request scan result policies rule type (&9696 (closed)).

This MR lowers the approvals_required for merge request approval rules that do not violate the commits property. The commits property allows to enforce approval depending on the commits of a source branch: commits: unsigned enforces approval only in the presence of unsigned commits, while commits: any always enforces approval.

How to set up and validate locally

  • Create a new project

  • Enable the feature flag for the project:

    Feature.enable(:scan_result_any_merge_request, Project.find(ID))
  • Navigate to Secure > Policies and create the following scan result policy:

    type: scan_result_policy
    name: Unsigned commits targeting protected branches
    enabled: true
    rules:
      - type: any_merge_request
        branch_type: protected
        commits: unsigned
    actions:
      - type: require_approval
        approvals_required: 1
        user_approvers:
          - root
          - another.user # Replace me
  • Clone the repo locally, check out the signed-commits branch, and create a signed commit:

  • Generate a GPG keypair (assuming GDK):

    gpg --quick-generate-key "root <admin@example.com>" rsa2048 encr,sign 1y
    • Identify the key rsa204/<key_id>:
    % gpg --list-secret-keys --keyid-format LONG | grep -B 2 -i "admin@example.com"
    sec   rsa2048/49449597FFA454E5 2023-09-05 [SCEA] [expires: 2024-09-04]
          FDC47E5E81C2EB02F97693B649449597FFA454E5
    uid                 [ultimate] root <admin@example.com>
    git -c "user.name=admin@example.com" -c "user.signingkey=49449597FFA454E5" ct -S -m "Signed commit"
    • Verify the commit is signed with git show --show-signature
  • Check out the unsigned-commits branch, and create an unsigned commit

  • Push both branches, open MRs targeting main and verify only the MR with the unsigned commit requires approval.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #418752 (closed)

Edited by Dominic Bauer

Merge request reports

Loading