Unblock fail-open `license_scanning` rules without target pipeline
What does this MR do and why?
Unblocks fail-open license_scanning
rules when the MR target branch lacks Dependency Scanning (#456115 (closed)).
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
How to set up and validate locally
-
Create a new project and enable the feature flag:
Feature.enable(:merge_request_approval_policies_fallback_behavior, Project.last)
-
Add a second Owner member to the project.
-
Navigate to Secure > Policies and create the following approval policies:
type: approval_policy name: Deny MIT Fail Open enabled: true fallback_behavior: fail: open rules: - type: license_finding match_on_inclusion: true license_types: - MIT license_states: - newly_detected branch_type: protected actions: - type: require_approval approvals_required: 1 role_approvers: - owner
type: approval_policy name: Deny MIT Fail Closed enabled: true rules: - type: license_finding match_on_inclusion: true license_types: - MIT license_states: - newly_detected branch_type: protected actions: - type: require_approval approvals_required: 1 role_approvers: - owner
-
Create a new MR that adds the following files:
-
Gemfile.lock
:GEM remote: https://rubygems.org/ specs: rack (3.0.10) PLATFORMS arm64-darwin-22 ruby DEPENDENCIES rack BUNDLED WITH 2.5.4
-
.gitlab-ci.yml
include: - template: Jobs/Dependency-Scanning.gitlab-ci.yml
-
-
Verify that only the
Deny MIT Fail Closed
rule requires approval. -
Disable the feature flag and push an unrelated file to the MR source branch, then verify that both rules require approval.
Related to #451784 (closed), #456115 (closed)