Handle optional approvals in policy bot comment
What does this MR do and why?
This MR updates the policy bot comment behavior so that it takes optional approvals into account. A policy may be defined requiring 0 approvals from the approvers and in this case, the wording of the comment was off.
We've decided to handle it this way (#420948 (comment 1506783534)) because the whole feature is still considered MVC and may be subject to significant change, so we decided to not track the comments' metadata via database yet.
Screenshots or screen recordings
With required approvals | With optional approvals | Hidden comment |
---|---|---|
How to set up and validate locally
- Create a project
- Go to Secure -> Policies and create a policy in that project, setting
approvals_required
to0
. Sample YAML:type: scan_result_policy name: Secrets description: '' enabled: true rules: - type: scan_finding branches: [] scanners: - secret_detection vulnerabilities_allowed: 0 severity_levels: [] vulnerability_states: [] actions: - type: require_approval approvals_required: 0 user_approvers_ids: - 4
- Create MR with a policy violation
- Add CI configuration with secret detection template.
.gitlab-ci.yml
:
include: - template: Jobs/Secret-Detection.gitlab-ci.yml test-job: script: - echo "Test Job..."
- Add
.env
file in MR with a leaked secret:
AWS_TOKEN="AKIAZYONPI3G4JNCCWGX"
- Add CI configuration with secret detection template.
- Observe the created comment, it should state "optional reviewers" and have
optional_approvals: scan_finding
in the hidden comment
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #420948 (closed)
Edited by Martin Čavoj