Skip to content

Add `block_group_branch_modification` to security policies

What does this MR do and why?

Adds the approval_settings.block_group_branch_modification property to security policies.

See Implementation plan for the intended behaviour

Screenshots or screen recordings

How to set up and validate locally

  • Create a new top-level group and enable the feature flags:

    Feature.enable(:scan_result_policy_block_group_branch_modification, Group.last)
    Feature.enable(:allow_protected_branches_for_group, Group.last)
  • Navigate to Settings > Repository and create a branch protection.

    type: scan_result_policy
    name: 'Test'
    enabled: true
    rules:
      - type: any_merge_request
        branch_type: protected
        commits: any
    actions:
      - type: require_approval
        approvals_required: 1
        user_approvers_ids: [1]
    approval_settings:
      block_branch_modification: true
  • Verify that the previously created branch protection can not be deleted.

  • Verify that the branch protection cannot be deleted via API:

    curl --request DELETE --header "PRIVATE-TOKEN: <TOKEN>" "http://gdk.test:3000/api/v4/groups/<GROUP_ID>/protected_branches/<NAME>"
    {"message":"403 Forbidden"}
  • Update the policy:

    type: scan_result_policy
    name: 'Test'
    enabled: true
    rules:
      - type: any_merge_request
        branch_type: protected
        commits: any
    actions:
      - type: require_approval
        approvals_required: 1
        user_approvers_ids: [1]
    approval_settings:
      block_branch_modification: true
    + block_group_branch_modification: false
  • Verify that the branch protection can be deleted.

  • Update the policy:

    type: scan_result_policy
    name: 'Test'
    enabled: true
    rules:
      - type: any_merge_request
        branch_type: protected
        commits: any
    actions:
      - type: require_approval
        approvals_required: 1
        user_approvers_ids: [1]
    approval_settings:
      block_branch_modification: true
    - block_group_branch_modification: false
    + block_group_branch_modification:
    +   enabled: true
    +   exceptions: [<GROUP_NAME>]
  • Verify that the branch protection can be deleted.

  • Remove the group name from exceptions. Verify that the previously created branch protection can not be deleted.

Related to #420724 (closed)

Edited by Dominic Bauer

Merge request reports

Loading