Add an instance-level setting to require Jira association in Merge Requests

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Problem to solve

As a follow-up to #235616 (closed), enterprise customers do not have the ability to require this particular attribute of a merge request. In most regulated environments a change cannot ship unless it has an associated change ticket from Jira, ServiceNow, or other services. The lack of this feature creates a gap in an organization's compliance posture and creates problems for them during an audit when reviewing chain of custody and the SDLC.

Intended users

• Cameron (Compliance Manager)
• Delaney (Development Team Lead)
• Sasha (Software Developer)
• Devon (DevOps Engineer)
• Sidney (Systems Administrator)
• Rachel (Release Manager)

User experience goal

An admin and/or group owner can optionally require the Jira ticket field in an MR be populated before the MR can be merged.

Proposal

This will need to be broken down into smaller pieces

1. Add a toggle at the instance-level to require an MR (in a regulated project) have a Jira ticket entered
2. The MR should not be mergeable until this entry exists

This should be enforceable only for projects that have a compliance framework label

Further details

We should reduce the scope of this enforcement based on compliance project labels.

Implementation plan

Notes:

1. Any approval restrictions we impose will need to be applied to both the GUI and API. It is worth noting that the current Vue implementation uses our v4 API to get it's data already so the below implementation plan takes this into account.
2. This is limited to only regulated (compliance-labelled) projects

backend

1. Add new :prevent_merge_requests_approval_if_no_change_id to :application_settings DB table
2. Add this setting to ee/lib/ee/api/helpers/settings_helpers.rb (this should automatically be picked up by the compliance framework limitations)
3. Add new policy to MergeRequestPolicy to block approvals (sets prevent :approve_merge_request) if this setting is on and optionally (if a compliance framework label limitation is applied) compare the projects compliance framework label with the settings compliance framework limitation
   • This will automatically set the user_can_approve to false within the API
4. Update tests

frontend

1. Add new toggle to /admin/push_rule to enable/disable this restriction
2. Update tests