Sync any_merge_request rules regardless of pipelines
What does this MR do and why?
This MR makes change to the logic which removes required approvals for any_merge_request
rules.
Currently, the required approvals are removed for policy-compliant MRs only if there is a CI configuration and security scans are included in the pipeline (e.g. template: Jobs/Secret-Detection.gitlab-ci.yml
).
Because any_merge_request
rule approvals only depend on whether the commits are unsigned or signed, this change will make it so that the approvals are removed immediately after a change in MR regardless of the pipeline setup.
The changes in this MR are done behind a feature flag scan_result_any_merge_request
that is disabled by default.
Screenshots or screen recordings
Before | After |
---|---|
CleanShot_2023-10-12_at_12.15.50 | CleanShot_2023-10-12_at_12.26.22 |
How to set up and validate locally
- In rails console enable the feature flag
Feature.enable(:scan_result_any_merge_request)
- Create a policy targeting unsigned commits. Go to Policies -> New scan result policy ->
.yaml mode
. Example YAML:type: scan_result_policy name: Unsigned description: '' enabled: true rules: - type: any_merge_request branch_type: protected commits: unsigned actions: - type: require_approval approvals_required: 1 user_approvers_ids: - 4 - 1 approval_settings: block_protected_branch_modification: true prevent_approval_by_author: true prevent_approval_by_commit_author: true remove_approvals_with_new_commit: true require_password_to_approve: true
- Set up signed commits
- Create MR with a signed commit
- Verify the approvals for the policy rule are not required
- Add an unsigned commit (for example via WebIDE)
- Verify the approvals are required
- Force push so that only the signed commits are in the MR again
- Verify the approvals are optional again
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #418752 (closed)