Skip to content

Evaluate any_merge_request rules for applicable branch

Martin Čavoj requested to merge 418752-evaluate-branch-type into master

What does this MR do and why?

This MR adds a constraint on the policy violations of any_merge_request rules and applies them correctly to the target branch. Policy can only target protected branches, so if merge request's target branch is a non-protected one, it shouldn't evaluate the policies as violated.

It also addresses refactoring from Refactor SyncAnyMergeRequestRulesService (#428374 - closed).

How to set up and validate locally

  1. Enable the feature flag
    Feature.enable(:scan_result_any_merge_request)
  2. Go to Code -> Branches and create a new branch
  3. Go to Secure -> Policies and create a policy. Example YAML:
    type: scan_result_policy
    name: Unsigned
    description: ''
    enabled: true
    rules:
      - type: any_merge_request
        branch_type: protected
        commits: unsigned
    actions:
      - type: require_approval
        approvals_required: 1
        user_approvers_ids:
          - 1
    approval_settings:
      prevent_approval_by_author: true
      prevent_approval_by_commit_author: true
      remove_approvals_with_new_commit: true
      require_password_to_approve: true
  4. Create MR with unsigned commit (for example from Web IDE), but change the target branch to the new branch created before
  5. There should be no bot comment saying that policy has been violated and there shouldn't be any scan_result_policy_violations record in the database for this merge request
  6. Change the branch of existing MR to a protected one
  7. The bot comment should appear, there should be a new record in scan_result_policy_violations table and an approval should be required

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #418752 (closed)

Edited by Martin Čavoj

Merge request reports

Loading