Allow updates of protected branch with block_unprotecting_branches
What does this MR do and why?
This MR reverts some of the restrictions introduced in Let scan result policies prevent changes to pro... (!130653 - merged), as they went too far. We should only prevent users from unprotecting the branches and not prevent them from changing other settings, such as Allowed to push, Allowed to merge, Code owner approval, Allowed to force push.
Screenshots or screen recordings
Before | After |
---|---|
CleanShot_2023-11-08_at_19.04.13 | CleanShot_2023-11-08_at_19.02.38 |
Trying to circumvent disabled button will still correctly prevent me from unprotecting the branch by raising 403:
CleanShot_2023-11-08_at_19.07.39
How to set up and validate locally
- Upload a GitLab Ultimate license
- Enable the feature flag
echo "Feature.enable(:scan_result_policies_block_unprotecting_branches)" | rails c
- Go to Project/Settings/Repository/Protected Branches
/settings/repository#js-protected-branches-settings
- Protect couple of branches, you should be able to unprotect them
- Go to Secure => Policies => New policy => Scan Result Policy
- Create the policy in rule mode to match the below yaml or go to
yaml
mode and use the below policy
type: scan_result_policy
name: Container Scanning
description: ''
enabled: true
actions:
- type: require_approval
approvals_required: 1
user_approvers_ids:
- 1
rules:
- type: scan_finding
scanners:
- container_scanning
vulnerabilities_allowed: 0
severity_levels: []
vulnerability_states: []
branch_type: protected
branch_exceptions:
- foobar # (actual protected branches name you want to exclude)
approval_settings:
block_unprotecting_branches: true
- Go back to settings, the
unprotect
button should be disabled - Change other settings for the branch
- Expect that they should be changeable
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #430718 (closed)
Edited by Martin Čavoj