Lower `approvals_required` for conforming `any_merge_request` rules
What does this MR do and why?
We are introducing the any_merge_request
scan result policies rule type (&9696 (closed)).
This MR lowers the approvals_required
for merge request approval rules that do not violate the commits
property. The commits
property allows to enforce approval depending on the commits of a source branch: commits: unsigned
enforces approval only in the presence of unsigned commits, while commits: any
always enforces approval.
How to set up and validate locally
-
Create a new project
-
Enable the feature flag for the project:
Feature.enable(:scan_result_any_merge_request, Project.find(ID))
-
Navigate to
Secure > Policies
and create the following scan result policy:type: scan_result_policy name: Unsigned commits targeting protected branches enabled: true rules: - type: any_merge_request branch_type: protected commits: unsigned actions: - type: require_approval approvals_required: 1 user_approvers: - root - another.user # Replace me
-
Clone the repo locally, check out the
signed-commits
branch, and create a signed commit: -
Generate a GPG keypair (assuming GDK):
gpg --quick-generate-key "root <admin@example.com>" rsa2048 encr,sign 1y
- Identify the key
rsa204/<key_id>
:
% gpg --list-secret-keys --keyid-format LONG | grep -B 2 -i "admin@example.com" sec rsa2048/49449597FFA454E5 2023-09-05 [SCEA] [expires: 2024-09-04] FDC47E5E81C2EB02F97693B649449597FFA454E5 uid [ultimate] root <admin@example.com>
git -c "user.name=admin@example.com" -c "user.signingkey=49449597FFA454E5" ct -S -m "Signed commit"
- Verify the commit is signed with
git show --show-signature
- Identify the key
-
Check out the
unsigned-commits
branch, and create an unsigned commit -
Push both branches, open MRs targeting
main
and verify only the MR with the unsigned commit requires approval.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #418752 (closed)