Delete existing policy reads for invalidating policy edits
What does this MR do and why?
Fixes a bug in MR approval policy synchronisation: After a policy.yml
was manually edited and due to the edit no longer validates against our JSON schema, pre-existing MR approval policies that were mirrored to the database are not deleted.
The policies have now disappeared from the UI, but the mirrored policies in the database still have an effect, for example https://gitlab.com/gitlab-com/dev-sub-department/section-dev-request-for-help/-/issues/286#note_2022565617.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
How to set up and validate locally
- Create a new top-level group
- Create a contained project
- On the group level, navigate to
Secure > Policies
and create the following MR approval policy:
type: approval_policy
name: Test
enabled: true
rules:
- type: any_merge_request
branch_type: protected
commits: any
actions:
- type: require_approval
approvals_required: 1
role_approvers:
- owner
approval_settings:
prevent_pushing_and_force_pushing: true
- In the security policy project, open and merge an MR that invalidates
.gitlab/security-policies/policy.yml
:
---
approval_policy:
- name: Test
- enabled: true
rules:
- type: any_merge_request
branch_type: protected
commits: any
actions:
- type: require_approval
approvals_required: 1
role_approvers:
- owner
approval_settings:
prevent_pushing_and_force_pushing: true
- On the project level, navigate to
Settings > Repository
, expandProtected branches
and verify that you can update for example theAllowed to merge
dropdown for the default branch.