Resolve "On MR creation set `approvals_required: 0` for policy approval rules"
What does this MR do and why?
Previously, we set the approvals_required to 1 as we were waiting for the security violations to be executed.
On creation/update, we want to set the approvals_required to 0 as we now have a mergeability check which waits for the security violations to run. Once the violations are run, the approvals_required will be updated.
To test:
-
Turn on feature flag
policy_mergability_check
and ensure you have a Docker runner -
In the project, ensure that
main
is a protected branch. -
Create
.gitlab-ci.yml
:include: - template: Jobs/Secret-Detection.gitlab-ci.yml test-job: stage: test script: - echo "Testing"
-
Go to Secure -> Policies -> New policy. Select "Merge request approval policy".
-
Switch to the
.yaml mode
and use the following YAML:type: approval_policy name: Security description: '' enabled: true rules: - type: scan_finding scanners: [] vulnerabilities_allowed: 0 severity_levels: [] vulnerability_states: [] branch_type: protected actions: - type: require_approval approvals_required: 1 role_approvers: - developer approval_settings: block_branch_modification: true prevent_pushing_and_force_pushing: true prevent_approval_by_author: true prevent_approval_by_commit_author: true remove_approvals_with_new_commit: true require_password_to_approve: false fallback_behavior: fail: closed
-
Configure with a merge request && merge
-
Go back to the project and open a new MR
-
The MR should be blocked with security evaluation check and the security rule is optional
-
Create a
.env
file with `AWS_TOKEN=AKIAZYONPI3G4JNCCWGQ' -
Push, and wait for the CI to run, and the approval rules should be required
Related to #478862 (closed)