Discussion: can allow_failure l merge with security gate or just a recommendation?

Background

This is an issue created from original comment

There are two things a user can do when they want to stop "code to merge":

  • Set "allow_to_fail: true"
    • remove "allow_failure" on "exit_code" 1 and pipeline "fail" on job fail(MR approve irrelevant)
    • and/or remove "allow failure" "2" for when new vulns (MR approvals would never be triggered) and set pipeline to fail on job-fail
  • enable security gate (aka MR approval)
How does current security gate(approvals looks like)

Screenshot_2021-01-27_at_10.42.34

Open questions:

  1. Do user have other reason to set "allow_to_fail" besides "avoid code to merge when vulns found"
  2. Do we suggest user use security gate instead "allow_to_fail" or we can remove "allow_to_fail" and keep only the security gate.
  3. Show we allow security gate to be enabled via yml file? (Reasons: "allow_to_fail" can be set during configuration with yml file, security gate should be part of it to smooth the experiences)
  4. Additional: related topic: shall we separate security gate from approvals, might help us make the decision here
Edited by 🤖 GitLab Bot 🤖