Do not unassign bot when security MR fails validation
Summary
When a security MR fails validation, for example when the pipeline is red, the bot leaves a message asking the assignees to fix the MR and unassigns itself.
This can result in a lot of back-and-forth, with the assignee assigning the bot, the bot unassigning itself due to an error, the assignee fixing the error and reassigning the bot, and the bot unassigning itself again due to another error.
It also results in the security issue appearing with the status "Unassigned merge requests" in the security issues table used by RMs. It would be better for the actual error (red pipeline or unresolved discussions, etc) to appear in the security issues table.
I'm not sure there is any advantage to the bot unassigning itself.
Proposal
- If an MR has all the necessary approvals, the bot should not unassign itself if the MR fails validation.
- Leave a message for the assignee, but don't unassign itself.
- If the MR does not have necessary approvals, unassigning makes sense since the MR has probably not been reviewed yet.
- If the bot finds a red pipeline, start a new pipeline.
- We could use a threshold here. For example, don't run a new pipeline if the last one completed less than 2 hours ago.
Advantages:
- One less step for developers to do, i.e., developers don't need to remember to reassign the bot after fixing the error.
- Errors like red pipelines could resolve themselves if the cause is a broken master/stable-branch.
Disadvantages:
- The bot might leave multiple messages about the same problem if the RM runs the merge command multiple times. This seems like a small price to pay though.