Consider merge request pipelines for license approval policies
What does this MR do and why?
This change fixes a bug with license approval policies enforces incorrect approval when the merge request pipeline is marked as head pipeline in an MR.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Before | After |
---|---|
How to set up and validate locally
- Create a project with both merge request and branch pipelines with MR pipeline taking a longer time (add sleep). Example project: https://gitlab.com/gitlab-org/govern/demos/sandbox/alan/gisolf-verification/slow-mr
- Create license approval policy and a scan execution policy to add dependency scanning scan to all pipeline with policy like:
name: DS Scan
description: ''
enabled: true
actions:
- scan: dependency_scanning
rules:
- type: pipeline
branch_type: all
name: License policy
description: ''
enabled: true
actions:
- type: require_approval
approvals_required: 1
group_approvers_ids:
- 22
rules:
- type: license_finding
match_on_inclusion: false
license_types:
- MIT License
- unknown
license_states:
- newly_detected
branch_type: protected
approval_settings:
block_branch_modification: false
prevent_pushing_and_force_pushing: false
- Create a MR that updates the readme and verify if dependency_scanning job is added to the branch pipeline and wait for both the pipelines to complete
- Verify that the approval is not enforced and also no comment from the policy violation bot
Addresses #448659 (closed)
Edited by Sashi Kumar Kumaresan