Skip to content

Sync any_merge_request rules regardless of pipelines

Martin Čavoj requested to merge 418752-any-mr-remove-approvals-no-scanners into master

What does this MR do and why?

This MR makes change to the logic which removes required approvals for any_merge_request rules.

Currently, the required approvals are removed for policy-compliant MRs only if there is a CI configuration and security scans are included in the pipeline (e.g. template: Jobs/Secret-Detection.gitlab-ci.yml).

Because any_merge_request rule approvals only depend on whether the commits are unsigned or signed, this change will make it so that the approvals are removed immediately after a change in MR regardless of the pipeline setup.

The changes in this MR are done behind a feature flag scan_result_any_merge_request that is disabled by default.

Screenshots or screen recordings

Before After
CleanShot_2023-10-12_at_12.15.50 CleanShot_2023-10-12_at_12.26.22

How to set up and validate locally

  1. In rails console enable the feature flag
    Feature.enable(:scan_result_any_merge_request)
  2. Create a policy targeting unsigned commits. Go to Policies -> New scan result policy -> .yaml mode. Example YAML:
    type: scan_result_policy
    name: Unsigned
    description: ''
    enabled: true
    rules:
      - type: any_merge_request
        branch_type: protected
        commits: unsigned
    actions:
      - type: require_approval
        approvals_required: 1
        user_approvers_ids:
          - 4
          - 1
    approval_settings:
      block_protected_branch_modification: true
      prevent_approval_by_author: true
      prevent_approval_by_commit_author: true
      remove_approvals_with_new_commit: true
      require_password_to_approve: true
  3. Set up signed commits
  4. Create MR with a signed commit
  5. Verify the approvals for the policy rule are not required
  6. Add an unsigned commit (for example via WebIDE)
  7. Verify the approvals are required
  8. Force push so that only the signed commits are in the MR again
  9. Verify the approvals are optional again

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #418752 (closed)

Edited by Martin Čavoj

Merge request reports

Loading