Allow reporters to approve MRs if they are explicitly listed in the approval rules
Problem to solve
This issue is one is an iteration toward supporting the greater Enterprise's workflows to manage release approvals via MRs. When an operator is “allowed to deploy” to production, they need developer access and the ability to push/merge into the branch (if it's protected) in order to deploy into protected environments. This permits operators to commit code, causing auditing concerns.
A similar issue exists when a non-code-contributing Approver for merge requests is required. They must be developers to approve Merge Requests.
Intended users
Further details
- We will need to add a configuration option for groups to select maintainers cannot deploy, and only this deployer role can deploy.
User experience goal
Users that have no access to modify the code (Reporters) ought to still be able to Approve MRs and Deploy to Protected Environments when they are designated as approvers or deployers
Scenario:
Developers (with developer access) to a project ought to be allowed to develop, push/merge into protected branches but NOT deploy to production. This is accomplished by pairing Protected Branches and Protected Environments with an externalized CI YAML.
Managers or Operators (with reporter access) to a project sometimes need to be required approvers of an MR before a merge to a protected branch commences. These managers/operators ought not be allowed to push/merge any code to any branches but. The only users that are able to "Approve" a Merge Request are users that can also push/merge code. This prevents the MR Approvers from having segregation of duties.
Proposal
Spawned from #201898 (closed)
The idea is to use the reporters role as "operators".
Allow reporter roles to approve MRs if they are explicitly listed in the approval rules.