Apply fail-closed to any_merge_request rules
What does this MR do and why?
This MR extends fail-closed behavior to the new any_merge_request
policy rules. If the rule cannot be enforced, action will be required and the rule will not be auto-approved.
The change in the behavior is done behind an existing feature flag scan_result_any_merge_request
.
Screenshots or screen recordings
Before | After |
---|---|
How to set up and validate locally
- In rails console enable
scan_result_any_merge_request
feature flag:Feature.enable(:scan_result_any_merge_request)
- Create a policy with
any_merge_request
type and a single user approver. Sample YAML:type: scan_result_policy name: Test description: '' enabled: true rules: - type: any_merge_request branch_type: protected commits: any actions: - type: require_approval approvals_required: 1 user_approvers_ids: - 20 # Replace with your user ID
- Block this user
- Create MR and verify the rule can't be approved.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #418752 (closed)
Edited by Martin Čavoj