Skip to content

Apply fail-closed to any_merge_request rules

Martin Čavoj requested to merge 418752-fail-closed-any-merge-request into master

What does this MR do and why?

This MR extends fail-closed behavior to the new any_merge_request policy rules. If the rule cannot be enforced, action will be required and the rule will not be auto-approved.

The change in the behavior is done behind an existing feature flag scan_result_any_merge_request.

Screenshots or screen recordings

Before After
image image

How to set up and validate locally

  1. In rails console enable scan_result_any_merge_request feature flag:
    Feature.enable(:scan_result_any_merge_request)
  2. Create a policy with any_merge_request type and a single user approver. Sample YAML:
    type: scan_result_policy
    name: Test
    description: ''
    enabled: true
    rules:
      - type: any_merge_request
        branch_type: protected
        commits: any
    actions:
      - type: require_approval
        approvals_required: 1
        user_approvers_ids:
          - 20 # Replace with your user ID
  3. Block this user
  4. Create MR and verify the rule can't be approved.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #418752 (closed)

Edited by Martin Čavoj

Merge request reports

Loading