Prevent update of default branch if block_unprotecting_branches is set
What does this MR do and why?
This MR prevents updating the default branch of a project if block_unprotecting_branches
setting is set in Scan Result Policies. The feature is still behind a feature flag: scan_result_policies_block_unprotecting_branches
Addresses #430304 (closed)
Screenshots or screen recordings
How to set up and validate locally
- Enable the feature flag
echo "Feature.enable(:scan_result_policies_block_unprotecting_branches)" | rails c
- Go to Project -> Settings -> Repository -> Branch defaults -> Make
main
the default branch - Go to Project -> Code -> Branches -> Create a new branch
- Go to Secure -> Policies -> New policy -> Scan Result Policy
- Go to yaml mode
- Use this policy:
type: scan_result_policy
name: Require approval for vulnerabilities
description: ''
enabled: true
rules:
- type: scan_finding
scanners: []
vulnerabilities_allowed: 0
severity_levels: []
vulnerability_states: []
branch_type: protected
actions:
- type: require_approval
approvals_required: 1
role_approvers:
- maintainer
- developer
approval_settings:
block_unprotecting_branches: true
- Save the policy
- Go the Project -> Settings -> Repository -> Branch defaults
- Update the default branch and verify the error message
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Sashi Kumar Kumaresan